Skip to main content

Web encryption is easy to guess, researchers claim

There is so much new information coming from the Black Hat Conference in Las Vegas that it makes me wonder how our entire digital belongings have not been cracked, stolen and resold by now.

According to the latest report by IT Pro, randomised numbers used to encrypt data on the web are most likely not strong enough to offer higher levels of protection.

The flaw, which was discovered by security researchers Bruce Potter and Sasha Moore, prevents servers from creating strong encryptions.

How is that possible? Potter explained, saying that the server produces randomly generated data strings from computer behaviour, such as mouse movements or keyboard strokes.

It converts these into ones and zeros and moves this into a pool of data, which is called upon when security functions are needed.

However, these numbers have low entropy, meaning it’s easy to guess how the data string will evolve. Instead, data pools used for encryption should have high entropy.

“But, the entropy of widely-used Linux web servers is lower than first thought because the machines from which the data comes from are not creating enough information to increase the randomisation”, IT Pro says in its report.

“The knock-on effect is that systems are struggling to obtain reliable seeds from which to build secure randomised numbers from, which can make the sequence of the strings easier to guess.”

According to Potter, this research has shed light on previously unknown aspects of how encryption works on many popular web servers.

"This seemed like just an interesting problem when we got started but as we went on it got scary ... because when you have unknowns in crypto that's when things go sideways," Potter said.