Experts Find Key Internet Encryption Flaw
Small but significant number of cases vulnerable
By Mary Papenfuss,  Newser User
Posted Feb 15, 2012 5:29 AM CST
The Toshiba MKxx61GSYG models boast top encryption programs. But is anybody really safe?   (Photo: Business Wire)

(Newser) – Oops. Now that millions of people have downloaded encrypted information like credit card and bank account numbers onto the Internet, a team of mathematicians and cryptographers have located a crucial flaw in online encryption. The flaw concerns the way the system generates random numbers to create a code critical to protecting digital information. In the system, randomly-generated prime numbers are used to create a public "key," which is used in a formula to encrypt information. The original, randomly generated numbers are kept secret. But in a small but significant number of cases, the random-number key generation system failed to work properly. The researchers found in certain cases that numbers were not truly random, making it possible to determine the secret keys used to generate the public key. The problem can only be fixed by software and Internet operations, not consumers.

In those cases, the researchers warned in a paper on their findings, "secret keys are accessible to anyone who takes the trouble to redo our work,“ and could be used to decode information. Of 7.1 million keys the researchers studied, they "stumbled upon" 27,000 keys that offered no security, notes the Times. "This comes as an unwelcome warning that underscores the difficulty of key generation in the real world,” Silicon Valley cryptanalyst James Hughes tells the New York Times. “Some people may say that 99.8% security is fine. That still means that approximately as many as two out of every thousand keys would not be secure." The researchers were careful not to take advantage of what they discovered. “We did not intercept any traffic, we did not sniff any networks,” said Hughes. Hackers, likely to have already found the flaw, have probably not followed suit.