How safe are your secured e-mails?
An unexpected weakness in the random-number-generator behind the encryption system that is commonly used for e-mails, online banking, e-commerce, and a host of Internet services intended to remain private and secure has been uncovered by a team of researchers.
The New York Times explains the inner workings:
The system requires that a user first create and publish the product of two large prime numbers, in addition to another number, to generate a public “key.” The original numbers are kept secret. To encrypt a message, a second person employs a formula that contains the public number. In practice, only someone with knowledge of the original prime numbers can decode that message.
For the system to provide security, however, it is essential that the secret prime numbers be generated randomly. The researchers discovered that in a small but significant number of cases, the random number generation system failed to work correctly.
NYT continues:
The researchers examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges. The researchers employed the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, to examine those public key numbers. They were able to produce evidence that a small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.
They said they “stumbled upon” almost 27,000 different keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work,” they wrote.
Unfortunately, internet users who encounter websites using the flawed system could see their data exposed but there’s nothing they can do except stop using the supposedly secured service until the service provider make changes to their security system. But of course, it doesn’t help that the general public may not be aware of this issue at all, let alone which internet services are and aren’t affected.
(Source: The New York Times)
