Security Glitch Undermines Encryption Keys
Around one in a million computer encryption keys are faulty and could be compromised according to researchers. While it sounds like an obscure issue, it could be exploited by security agencies at both friendly and hostile governments.
The problem is with the RSA encryption that's widely used for online security. It works by users having two security keys (lengthy codes), one public and one private. The public key is used for encrypting data, while the private key is needed to decrypt it. The system also allows users to "sign" encrypted messages so that recipients know the supposed sender is genuine.
Researchers at the University of California in San Diego found that while the system itself is still robust, some hardware devices produce digital signatures incorrectly. In some cases, this exposes the private key.
Devices Withdrawn
Proportionally at least, the problem appears to be rare. The researchers looked at 5.2 billion records from data servers, of which 600,000 has the incorrect signatures. From those they were able to find 189 different private keys across 4,962 data records. (Source: newscientist.com)
According to the researchers, the devices were made by four companies. Of those, Cisco and Zyxel say they've now either fixed the problem or stopped selling the devices. Two unnamed companies didn't respond to enquiries. It doesn't appear the devices are widely used by consumers. (Source: techradar.com)
Although the issue is extremely rare, it poses a couple of problems. One is simply that the problem should not exist and undermines a major plank of online security, even if only in a few cases.
Spy Agencies Could Be Interested
The other problem is that although the problem could only be exploited at scale, that's not completely implausible. Somebody with enough resources and patience could continually scan for an example of the incorrect signatures, find the private key, and use it to intercept data without detection.
It's unlikely such an approach would be worthwhile for trying to spy on a specific individual. However, a government agency with a relaxed attitude to individual privacy rights could theoretically use the keys for a "trawling" exercise. That would involve playing the numbers game and hoping that some of the compromised users were people of interest.
What's Your Opinion?
Do you trust online security? Are the researchers right to highlight this problem even if it's extremely rare? Is withdrawing the affected devices from sale enough or should the manufacturers track down users and warn them to stop using them?
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.