NEWS


News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Encryption System Flaw Threatens Internet Security

by George Lawton

Researchers have found a vulnerability that affects an encryption system widely used to provide security for e-mail, e-commerce, e-banking, and other online services.

Independent cryptography consultant James P. Hughes and Swiss Federal Institute of Technology Lausanne researchers led by professor and security expert Arjen K. Lenstra identified a weakness in the popular RSA-algorithm-based public-key encryption system. This flaw could let hackers recognize and recreate poorly generated encryption keys, and use them on the Web.

The problem lets hackers take advantage of a feature of the algorithm and of poorly generated random prime numbers, which are used to generate cryptographic keys, to decode keys for some traffic encrypted by the RSA algorithm.

The percentage of affected keys on the Web is small. However, concern is great because they are widely employed in public-key encryption techniques that verify website authenticity, enable the safe exchange of confidential information, and protect financial transactions.

This could threaten some transactions and reduce trust in Web security, Hughes said.

Inside the Public-Key System

In public-key systems, messages are encrypted — in a process that often occurs within routers — with public keys. They can be decrypted only with corresponding private keys. The public keys are widely distributed, but only the recipient of a transmission holds the private key.

The RSA algorithm generates the public and private keys by multiplying two large, randomly chosen prime numbers and then using Euler's totient function to generate the public key and a multiplicative inverse function to generate the private key.

The process is designed to make it too time-consuming and expensive to determine the private key from the public key.

Thus, generating random numbers is a key part of these systems and the quality of random-number generation is critical.

There are various ways to generate random numbers, such as using measurements of random physical phenomena. Computational approaches generate pseudorandom numbers, which can be used instead of true random numbers in many applications.

In 1995, research identified a flaw in the random-number generator (RNG) that Netscape used for public-key encryption. This made it easier to crack the encryption.

Last year, hackers also reported finding a weakness in the RNG that helped encrypt content on the Sony PlayStation. This let them access and share games and movies that were supposedly protected.

The Research

To find possible problems with cryptographic keys, Hughes, Lenstra, and their team worked with public-key databases that the MIT and the Electronic Frontier Foundation, a digital rights advocacy organization, created from publicly available online information. Hughes emphasized that they gathered no data by intercepting Web traffic.

The researchers found that in some cases, public-key encryption systems' RNGs produced the same "random" numbers for multiple encryption-key users. Hughes noted that effective RNGs are not supposed to do this.

In one case, a router vendor reused a combination of the same nine random numbers to generate 600 keys.

The researchers said the RSA algorithm enabled them to use a greatest-common-divisor (GCD) algorithm to analyze keys for different users that were generated by problematic RNGs.

They relatively quickly identified the keys' largest common factors, which in turn told the researchers the prime numbers used to generate them.

Hackers could use this information to decipher the keys themselves.

Public-key encryption schemes other than RSA use different key-generation algorithms, which don't enable GCD analysis to determine the random prime numbers used to generate keys.

Hughes, Lenstra, and their team identified the reuse of supposedly random prime-numbers in about 27,000 of the 7.1 million keys tested. Thus, the absolute number of keys affected throughout the Internet could be considerable, said Hughes.

Almost all of the affected keys have been implemented in the past five years, reflecting the proliferation of routers and switches with weak RNGs.

Ramifications

Hackers could take advantage of being able to decipher encryption keys in several ways.

For example, being able to use encryption keys that are supposedly private could let hackers impersonate a legitimate website and direct a victim trying to access the site to an IP address that the attackers control.

The site to which the victims are redirected could infect them with malware and even turn them into zombies that become part of botnets.

Once their website is communicating with a victim, the hackers could steal usernames and passwords and install back doors that could let them access the compromised systems at any time.

Hackers could also launch man-in-the-middle attacks, allowing them to sit between communicating parties and intercept their transmissions.

According to Hughes, there is no evidence that hackers have exploited the vulnerability in the wild yet.

He explained that his team made its findings public because the issue is of immediate concern and could be solved only by rethinking random-number generation techniques.

Hughes said he wanted to communicate directly with developers of the software that could be affected by the problem but in many cases couldn't identify them.

"When I first read the paper, I found it very exciting," said Whitfield Diffie, cryptography expert and vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers. "The thought that someone else's key could compromise yours … seemed beguilingly sinister."

"As I thought about it," he continued, "I realized that you really have to have a bad random-number generator for this problem to appear."

MIT professor Ron Rivest, one of the RSA algorithm's developers, noted that problems with random number generators have been documented in the past.

"What is new about their paper is the analysis of the frequency with which poor keys are generated in practice," he said. "I don't believe that any of these issues affect the long-term viability of RSA or of other cryptosystems."