Flaw found in securing online transactions

February 16, 2012
Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting worked properly 99.8 percent of the time, meaning that two out of every thousand "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

Online rights champion (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn , such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of using encryption keys offering no protection.

Explore further: Experts uncover weakness in Internet security

Related Stories

Experts uncover weakness in Internet security

December 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

They're watching you: Methods to block nosy Web advertisers

October 29, 2010

Virtually everything you do online is scrutinized by search engines and advertising networks that evaluate you as a potential customer based on what you search for, the sites you visit and the ads you see -- whether you click ...

Ore. senator, others cited by digital-rights group

November 1, 2011

(AP) -- An Oregon senator who was behind a 1996 federal law that has made content-sharing services such as YouTube and Facebook possible is among three recipients of Pioneer Awards from a leading digital-rights group.

Recommended for you

Fighting climate change with 'poop power'

December 2, 2015

The stench of clogged toilets fills the air at the US capital's wastewater treatment facility. And for good reason—it's one of the world's largest projects to transform human waste into electricity.

Roboticists learn to teach robots from babies

December 1, 2015

Babies learn about the world by exploring how their bodies move in space, grabbing toys, pushing things off tables and by watching and imitating what adults are doing.


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Feb 16, 2012
Any next step? As a network admin it would be great to see some kind of action I can take here...
not rated yet Feb 16, 2012
Finding the flaws in a defense is tactically an "offensive" gambit; patching those flaws is "defensive". Logically the initiative always belongs to the offense.
@royale: As a network admin your obvious course of action is to test all keys used in your network and replace all those found to be flawed. The hard part will be to get the test protocols used in this study.
not rated yet Feb 16, 2012
Beta-decay chip level random number generators and/or 'sound' cryptographically algorithms are needed. As known, via experience, flaws are often traced to algorithms that are underdetermined sufficiency proofs. Many others have flawed implementations.
not rated yet Feb 16, 2012
If only it were that easy tadchem... This would be something where a patch is necessary. You don't just look through 'keys' to pick out bad ones. A random number generation program with flaws doesn't have 'keys' that you can look at and change.. I suppose I just have to keep a note of this and hope something further comes out.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.