A flaw is found in online encryption

  • Article by: JOHN MARKOFF , New York Times
  • Updated: February 14, 2012 - 9:10 PM

Though researchers say number of affected users is tiny, confidence is affected.

hide

Photo: Star Tribune illustration

CameraStar Tribune photo galleries

Cameraview larger

 

SAN FRANCISCO - A team of European and American mathematicians and cryptographers have discovered an unexpected weakness in the encryption system widely used worldwide for online shopping, banking, e-mail and other Internet services intended to remain private and secure.

The flaw -- which involves a small but measurable number of cases -- has to do with the way the system generates random numbers, which are used to make it practically impossible for an attacker to unscramble digital messages. While it can affect the transactions of individual Internet users, there is nothing an individual can do about it. The operators of large websites will need to make changes to ensure the security of their systems, the researchers said.

The potential danger of the flaw is that despite the fact that the number of users affected by the flaw may be small, confidence in the security algorithm is reduced, the authors said.

The system requires that a user first create and publish the product of two large prime numbers in addition to another number to generate a public "key." The original numbers are kept secret. To encrypt a message, a second person employs a formula that contains the public number. In practice, only someone with the knowledge of the original prime numbers can decode that message.

For the system to provide security, however, it is essential that the secret prime numbers be generated randomly. The researchers discovered that in a small but significant number of cases, the random number generation system failed to work correctly.

The importance in ensuring that encryption systems do not have undetected flaws cannot be overstated. The modern world's online commerce system rests entirely on the secrecy afforded by the public key cryptographic infrastructure.

"This comes as an unwelcome warning that underscores the difficulty of key generation in the real world," said James P. Hughes, an independent Silicon Valley cryptanalyst who worked with a group of researchers led by Arjen K. Lenstra, a widely respected Dutch mathematician who is a professor at the École Polytechnique Fédérale de Lausanne in Switzerland.

"Some people may say that 99.8 percent security is fine," he added.

That still means that approximately as many as two out of every thousand keys would not be secure.

  • get related content delivered to your inbox

  • manage my email subscriptions

ADVERTISEMENT

Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

 
Close