Flaw found in securing online transactions

Feb 16, 2012
Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting worked properly 99.8 percent of the time, meaning that two out of every thousand "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

Online rights champion (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn , such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of using encryption keys offering no protection.

Explore further: New algorithm identifies data subsets that will yield the most reliable predictions

add to favorites email to friend print save as pdf

Related Stories

Experts uncover weakness in Internet security

Dec 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

Ore. senator, others cited by digital-rights group

Nov 01, 2011

(AP) -- An Oregon senator who was behind a 1996 federal law that has made content-sharing services such as YouTube and Facebook possible is among three recipients of Pioneer Awards from a leading digital-rights group.

They're watching you: Methods to block nosy Web advertisers

Oct 29, 2010

Virtually everything you do online is scrutinized by search engines and advertising networks that evaluate you as a potential customer based on what you search for, the sites you visit and the ads you see -- whether you click ...

Recommended for you

Designing exascale computers

Jul 23, 2014

"Imagine a heart surgeon operating to repair a blocked coronary artery. Someday soon, the surgeon might run a detailed computer simulation of blood flowing through the patient's arteries, showing how millions ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Royale
not rated yet Feb 16, 2012
Any next step? As a network admin it would be great to see some kind of action I can take here...
tadchem
not rated yet Feb 16, 2012
Finding the flaws in a defense is tactically an "offensive" gambit; patching those flaws is "defensive". Logically the initiative always belongs to the offense.
@royale: As a network admin your obvious course of action is to test all keys used in your network and replace all those found to be flawed. The hard part will be to get the test protocols used in this study.
Paul_Harrington
not rated yet Feb 16, 2012
Beta-decay chip level random number generators and/or 'sound' cryptographically algorithms are needed. As known, via experience, flaws are often traced to algorithms that are underdetermined sufficiency proofs. Many others have flawed implementations.
Royale
not rated yet Feb 16, 2012
If only it were that easy tadchem... This would be something where a patch is necessary. You don't just look through 'keys' to pick out bad ones. A random number generation program with flaws doesn't have 'keys' that you can look at and change.. I suppose I just have to keep a note of this and hope something further comes out.