Monday, August 24, 1998 Published at 13:11 GMT 14:11 UK
New encryption security for e-commerce
Mathematicians have made it harder to crack e-commerce code
By Internet correspondent Chris Nuttall
Two Swiss-based mathematicians say they have perfected a method for making electronic transactions over the Internet more secure.
Victor Shoup of IBM Research and Ronald Cramer of the Swiss Federal Institute of Technology, both working in Zurich, say they have a solution to the problem of "active" attacks mounted by hackers to crack computer security.
They will present their findings today at the Crypto 98 conference in California in a session entitled: "A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack."
How Bell Labs found a security hole
Their method represents a foil to attacks similar to the one discovered by a Bell Labs researcher Daniel Bleichenbacher in June.
His mechanism sent messages to a server processing electronic transactions and monitored the error messages that were returned. This gave him some information about what a decrypted message looked like, while he could also garner some information on the secret message itself when an error one was not returned.
Bleichenbacher said around a million messages needed to be sent to a server for success and the hacker would have to be able to screen out other Internet traffic.
Administrators should be alerted by such a massive attack but companies such as Netscape, Microsoft and RSA have put out software patches to fix the specific problem.
The Shoup-Cramer fix
The Shoup-Cramer method is said to thwart any related attacks by adding a series of calculations which ensure the server leaks no information when responding to the messages.
"The game is over as far as cryptography systems being subject to these nasty kinds of attacks," Charles Campbell Palmer, the manager of network security and cryptography at IBM Research told the Reuters news agency.
Bleichenbacher, who had chosen the Public Key Cryptography Standard (PKCS) No.1 protocol for the target of his attack, which is widely used in electronic commerce, agreed that a solution had been found.
Some experts unimpressed
But some at the Crypto 98 conference were unimpressed. Ross Anderson of Cambridge University said there were a number of possible solutions for protecting against "active" attacks.
"The Cramer-Shoup one is fairly expensive as it costs about five times what a more conventional approach would cost," he said.
Another British encryption expert said it was hard to assess the scientists' achievement:
" Sometimes the cure has unanticipated effects which are nastier than the original problem. It's part of a continuing process of discovering weaknesses in, and fixing a plethora of elaborate protocols," he said.
Ethical hacking, carried out by research institutes and companies such as IBM, aims to alert an industry, which still lacks the complete confidence of consumers, to possible security flaws.