Security Glitch Undermines Encryption Keys

Around one in a million computer encryption keys are faulty and could be compromised according to researchers. While it sounds like an obscure issue, it could be exploited by security agencies at both friendly and hostile governments.

The problem is with the RSA encryption that's widely used for online security. It works by users having two security keys (lengthy codes), one public and one private. The public key is used for encrypting data, while the private key is needed to decrypt it. The system also allows users to "sign" encrypted messages so that recipients know the supposed sender is genuine.

Researchers at the University of California in San Diego found that while the system itself is still robust, some hardware devices produce digital signatures incorrectly. In some cases, this exposes the private key.

Devices Withdrawn

Proportionally at least, the problem appears to be rare. The researchers looked at 5.2 billion records from data servers, of which 600,000 has the incorrect signatures. From those they were able to find 189 different private keys across 4,962 data records. (Source: newscientist.com)

According to the researchers, the devices were made by four companies. Of those, Cisco and Zyxel say they've now either fixed the problem or stopped selling the devices. Two unnamed companies didn't respond to enquiries. It doesn't appear the devices are widely used by consumers. (Source: techradar.com)

Although the issue is extremely rare, it poses a couple of problems. One is simply that the problem should not exist and undermines a major plank of online security, even if only in a few cases.

Spy Agencies Could Be Interested

The other problem is that although the problem could only be exploited at scale, that's not completely implausible. Somebody with enough resources and patience could continually scan for an example of the incorrect signatures, find the private key, and use it to intercept data without detection.

It's unlikely such an approach would be worthwhile for trying to spy on a specific individual. However, a government agency with a relaxed attitude to individual privacy rights could theoretically use the keys for a "trawling" exercise. That would involve playing the numbers game and hoping that some of the compromised users were people of interest.

What's Your Opinion?

Do you trust online security? Are the researchers right to highlight this problem even if it's extremely rare? Is withdrawing the affected devices from sale enough or should the manufacturers track down users and warn them to stop using them?