Flaw found in securing online transactions

Feb 16, 2012
Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting worked properly 99.8 percent of the time, meaning that two out of every thousand "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

Online rights champion (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn , such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of using encryption keys offering no protection.

Explore further: UT Dallas professor to develop framework to protect computers' cores

add to favorites email to friend print save as pdf

Related Stories

Experts uncover weakness in Internet security

Dec 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

Ore. senator, others cited by digital-rights group

Nov 01, 2011

(AP) -- An Oregon senator who was behind a 1996 federal law that has made content-sharing services such as YouTube and Facebook possible is among three recipients of Pioneer Awards from a leading digital-rights group.

They're watching you: Methods to block nosy Web advertisers

Oct 29, 2010

Virtually everything you do online is scrutinized by search engines and advertising networks that evaluate you as a potential customer based on what you search for, the sites you visit and the ads you see -- whether you click ...

Recommended for you

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

Royale
not rated yet Feb 16, 2012
Any next step? As a network admin it would be great to see some kind of action I can take here...
tadchem
not rated yet Feb 16, 2012
Finding the flaws in a defense is tactically an "offensive" gambit; patching those flaws is "defensive". Logically the initiative always belongs to the offense.
@royale: As a network admin your obvious course of action is to test all keys used in your network and replace all those found to be flawed. The hard part will be to get the test protocols used in this study.
Paul_Harrington
not rated yet Feb 16, 2012
Beta-decay chip level random number generators and/or 'sound' cryptographically algorithms are needed. As known, via experience, flaws are often traced to algorithms that are underdetermined sufficiency proofs. Many others have flawed implementations.
Royale
not rated yet Feb 16, 2012
If only it were that easy tadchem... This would be something where a patch is necessary. You don't just look through 'keys' to pick out bad ones. A random number generation program with flaws doesn't have 'keys' that you can look at and change.. I suppose I just have to keep a note of this and hope something further comes out.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...