First, the bad news: A small number of active RSA public encryption keys, a popular type of encryption protocol that secures billions of online transactions, offer “no security at all.” The finding was published by a team of security researchers who analyzed 7.1 million of those RSA keys and found that 0.02 percent of them were improperly generated. This small set of shoddy keys, in active use across thousands of websites, could be cracked by relatively simple means and might already be compromised, the researchers explain. “The lack of sophistication of our methods … make[s] it hard for us to believe that what we have presented is new,” they write. These public keys are the bedrock of almost every secure Internet transaction, and even a small hole in Internet security can cause quite a mess (that 0.02 percent amounts to more than 12,000 bad keys, after all).
The good news: Unless you’re a bank CTO, it doesn’t affect you. It’s not a huge security breach. There’s no need to shutter your online bank accounts and stow your assets in the Bank of Pillowcases.
Some background is helpful. Everything from your bank transfers to your Gmail account to your cat-picture Tumblr is secured against miscreants by the type of encryption studied in the paper: public key cryptography. The technique hinges on generating random prime numbers, which get passed through an algorithm. When someone sends an e-mail, the data are encrypted using a publicly visible “key,” and can only be decrypted by someone with the original numbers—in this case, the servers at Gmail. The whole system rests on those random prime numbers.
Why random prime numbers? They are relatively hard for even superfast processors to digest; it would take a hacker’s computer a hilariously long time to crunch through the public keys and figure out the random numbers they stem from. But if the numbers aren’t truly random … well, that’s where the trouble begins. It’s in the number-generation step that the researchers found the flaw: Some RSA keys were made using numbers that just weren’t “random enough.” A smart hacker would be able to find the patterns behind the not-so-random numbers, giving him or her access to the same decryption key that Google has.
The researchers held off on publishing the exact method used to sniff out the bad keys, so their paper can’t be used as an instruction manual for hackers. They also put the word out on an Electronic Frontier Foundation mailing list in the hope that savvy Web administrators will double-check their public keys. The takeaway: If you’re handling secure transactions for a big website, make sure your random number generators follow NIST standards. If you’re the average user, enjoy lording your new crypto knowledge over your peers.