When 99.8% Security May Not Be SufficientConcerns Raised over Public-Key Encryption
Researchers have identified a flaw in an encryption method employed by thousands of organizations to transact business online, a process most practitioners thought to be very secure for a quarter century.
In a paper, Ron was Wrong, Whit is Right, being presented to a cryptography conference later this year, researchers reported a flaw they discovered in an algorithm for public-key cryptography known as RSA (the creators of this cryptographic function founded the company by the same name) that generates a very large prime number needed for one of the keys.
This comes as an unwelcome warning that underscores the difficulty of key generation in the real world
RSA Chief Technologist Sam Curry defends the company's approach to public-key cryptography, contending the problem exists elsewhere in the security chain [see How Encrypted Key Can Leave a Bad Taste].
The authors wrote the main goal of their research was to test the validity of the assumption that different random choices are made each time keys are generated. "We found that the vast majority of public keys work as intended," the paper says. "A more disconcerting finding is that two out of every 1,000 RSA moduli that we collected offer no security."
Two in a thousand sounds like great odds. "Some people may say that 99.8 percent security is fine," James Hughes, a Palo Alto, Calif., cryptanalyst who coauthored the paper told The New York Times, which first reported the findings. In reality, it's bad news when one considers that amount of online transactions that rely on these keys. "This comes as an unwelcome warning that underscores the difficulty of key generation in the real world," Hughes said.
Hughes and his co-authors from the Swiss university Ã‰cole Polytechnique FÃ©dÃ©rale de Lausanne said their research suggests multi-secret cryptosystems such as RSA are significantly riskier than single-secret ones.
The researchers surmise that if they could figure out the flaw, others - perhaps those with sinister motives - could as well. "The lack of sophistication of our methods and findings make it hard for us to believe that what we have presented is new," the paper says.
Keep in mind two things:
- The research still has not been peered reviewed. They said they went public with their findings because it could be of immediate concern to organization that rely on the public key cryptography system.
- No known instance of a significant breach has occurred because of the reported flaw.
One positive takeaway from this paper is that members of information security community identified the problem - not a group of hackers - and others can step in to help fix it.