Bloomberg Anywhere Remote Login Bloomberg Terminal Demo Request


Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.


Financial Products

Enterprise Products


Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000


Industry Products

Media Services

Follow Us

Bloomberg Customers


Researchers Detail Flaw in Online Cryptography, but Don't Panic

Look closely, and you can find a pattern amongst randomness. What goes for Magic Eye goes for cryptography.

Illustration by Bloomberg BusinessWeek

Look closely, and you can find a pattern amongst randomness. What goes for Magic Eye goes for cryptography.

First, the bad news: A small number of active RSA public encryption keys, a popular type of encryption protocol that secures billions of online transactions, offer “no security at all.” The finding was published by a team of security researchers who analyzed 7.1 million of those RSA keys and found that 0.02 percent of them were improperly generated. This small set of shoddy keys, in active use across thousands of websites, could be cracked by relatively simple means and might already be compromised, the researchers explain. “The lack of sophistication of our methods … make[s] it hard for us to believe that what we have presented is new,” they write. These public keys are the bedrock of almost every secure Internet transaction, and even a small hole in Internet security can cause quite a mess (that 0.02 percent amounts to more than 12,000 bad keys, after all).

The good news: Unless you’re a bank CTO, it doesn’t affect you. It’s not a huge security breach. There’s no need to shutter your online bank accounts and stow your assets in the Bank of Pillowcases.

Some background is helpful. Everything from your bank transfers to your Gmail account to your cat-picture Tumblr is secured against miscreants by the type of encryption studied in the paper: public key cryptography. The technique hinges on generating random prime numbers, which get passed through an algorithm. When someone sends an e-mail, the data are encrypted using a publicly visible “key,” and can only be decrypted by someone with the original numbers—in this case, the servers at Gmail. The whole system rests on those random prime numbers.

Why random prime numbers? They are relatively hard for even superfast processors to digest; it would take a hacker’s computer a hilariously long time to crunch through the public keys and figure out the random numbers they stem from. But if the numbers aren’t truly random … well, that’s where the trouble begins. It’s in the number-generation step that the researchers found the flaw: Some RSA keys were made using numbers that just weren’t “random enough.” A smart hacker would be able to find the patterns behind the not-so-random numbers, giving him or her access to the same decryption key that Google (GOOG) has.

The researchers held off on publishing the exact method used to sniff out the bad keys, so their paper can’t be used as an instruction manual for hackers. They also put the word out on an Electronic Frontier Foundation mailing list in the hope that savvy Web administrators will double-check their public keys. The takeaway: If you’re handling secure transactions for a big website, make sure your random number generators follow NIST standards. If you’re the average user, enjoy lording your new crypto knowledge over your peers.

Applegate is a contributing graphics editor for Bloomberg Businessweek. Follow him on Twitter @evanapplegate.

blog comments powered by Disqus