Expert cracking online encryption system network banking security concerns

According to a report released by the U.S. and European cryptographic experts, encryption methods widely used to protect online banking, email, e-commerce, and other sensitive online transactions are not that secure.

Researchers reviewed millions of public keys used to encrypt online transactions and found that many public keys are vulnerable to attacks.

In most cases, the issue is related to how keys are generated, the researchers said. Studies show that numbers related to these keys do not have random numbers as required.

The study team concluded that attackers could use the public key to guess the corresponding private key to decrypt data, which was previously considered impossible.

"This is an extremely serious encryption vulnerability," said Peter Eckersley, a senior technician at the Electronic Frontier Foundation. This is mainly because a random number is used to generate a private key for HTTPS, SSL, and TSL servers."

He said: "We are currently in the process of notifying all parties with the vulnerability key and the certificate authority that issues certificates for them to revoke the vulnerability key as quickly as possible, and generate a new key."

Public key encryption is a basic encryption system for protecting online transactions. It involves using public keys to encrypt data and related private keys to decrypt data.

For example, when a user logs on to a bank website or a secure e-commerce website, the public key of the website encrypts the transaction, only the website owner can use the corresponding private key to decrypt data.

The Public Key is usually embedded in a digital certificate, which is issued by a so-called Certificate Authority. Theoretically, it is impossible to guess the components of the private key. No two public/private key pairs are identical.

In reality, not all key generation processes comply with security requirements, said JamesHughes, an independent password analyst in the United States, ArjenLenstra, a professor at the Federal Institute of Technology in Lausanne, Switzerland, Dr. MaximeAugier, and three other researchers.

The researchers analyzed 6.6 million public keys generated using the RSA algorithm, and found that 12720 of them were insecure, and 27000 others were vulnerable to attacks.

The researchers wrote: "As long as someone is not afraid of having to repeat our analysis work, they will be able to get the key. It is assumed that the public key set can be accessed, which is simpler than the traditional method for retrieving RSA keys ."

The keys checked by the researchers come from several public databases, including those maintained by the Electronic Frontier Foundation.

Eckersley indicates that attackers can exploit this vulnerability easily: simply configure a public key database and repeat the work of the researchers to determine the existence of the vulnerability key.

BruceSchneier, a well-known cryptographic interpreter and creator of Blowfish encryption algorithms, said the results of this study were amazing, but more information was needed to understand the problem.

Schneier said: "This is a random number generator problem, but this study does not really talk about where it comes from ."

He believes that this is a bit similar: 10 thousand people have bad locks, but do not provide detailed information about who these bad locks belong to or where they are located.

The random numbers found in this study may be accidental, or some people intentionally create problems that they are trying to create more unencrypted communication.

Edit recommendations]