Flaw found in securing online transactions

February 16, 2012
Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

Researchers on Wednesday revealed a flaw in the way data is scrambled to protect the privacy of online banking, shopping and other kinds of sensitive exchanges.

A program used to generate random number sequences for encrypting worked properly 99.8 percent of the time, meaning that two out of every thousand "keys" wouldn't thwart crooks or spies, the report warned.

"We found that the vast majority of public keys work as intended," said a report based on work by a team of US and led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne (EPFL).

"A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

Online rights champion (EFF) supplied key data for the research, and said that Lenstra's team found tens of thousands of keys that essentially failed to guard data in supposedly encrypted online sessions.

"The consequences of these vulnerabilities are extremely serious," the EFF's Dan Auerbach and Peter Eckersley said in a blog post.

"In all cases, a weak key would allow an eavesdropper on the network to learn , such as passwords or the content of messages, exchanged with a vulnerable server."

Hackers could also pose as trusted websites, such as an online bank, in what are referred to as man-in-the-middle attacks, according to the EFF.

The non-profit EFF said it is working "around the clock" with EPFL to warn operators of using encryption keys offering no protection.

Explore further: BioVault locks up biometrics: Using biometrics for encryption, digital signatures

Related Stories

Experts uncover weakness in Internet security

December 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

Ore. senator, others cited by digital-rights group

November 1, 2011

(AP) -- An Oregon senator who was behind a 1996 federal law that has made content-sharing services such as YouTube and Facebook possible is among three recipients of Pioneer Awards from a leading digital-rights group.

They're watching you: Methods to block nosy Web advertisers

October 29, 2010

Virtually everything you do online is scrutinized by search engines and advertising networks that evaluate you as a potential customer based on what you search for, the sites you visit and the ads you see -- whether you click ...

Recommended for you

Volvo to supply Uber with self-driving cars (Update)

November 20, 2017

Swedish carmaker Volvo Cars said Monday it has signed an agreement to supply "tens of thousands" of self-driving cars to Uber, as the ride-sharing company battles a number of different controversies.


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Feb 16, 2012
Any next step? As a network admin it would be great to see some kind of action I can take here...
not rated yet Feb 16, 2012
Finding the flaws in a defense is tactically an "offensive" gambit; patching those flaws is "defensive". Logically the initiative always belongs to the offense.
@royale: As a network admin your obvious course of action is to test all keys used in your network and replace all those found to be flawed. The hard part will be to get the test protocols used in this study.
not rated yet Feb 16, 2012
Beta-decay chip level random number generators and/or 'sound' cryptographically algorithms are needed. As known, via experience, flaws are often traced to algorithms that are underdetermined sufficiency proofs. Many others have flawed implementations.
not rated yet Feb 16, 2012
If only it were that easy tadchem... This would be something where a patch is necessary. You don't just look through 'keys' to pick out bad ones. A random number generation program with flaws doesn't have 'keys' that you can look at and change.. I suppose I just have to keep a note of this and hope something further comes out.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.