Europe South Asia Asia Pacific Americas Middle East Africa BBC Homepage World Service Education

Front Page



UK Politics







Talking Point
On Air
Low Graphics

Monday, August 24, 1998 Published at 13:11 GMT 14:11 UK


New encryption security for e-commerce

Mathematicians have made it harder to crack e-commerce code

By Internet correspondent Chris Nuttall
Two Swiss-based mathematicians say they have perfected a method for making electronic transactions over the Internet more secure.

Victor Shoup of IBM Research and Ronald Cramer of the Swiss Federal Institute of Technology, both working in Zurich, say they have a solution to the problem of "active" attacks mounted by hackers to crack computer security.

They will present their findings today at the Crypto 98 conference in California in a session entitled: "A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack."

How Bell Labs found a security hole

Their method represents a foil to attacks similar to the one discovered by a Bell Labs researcher Daniel Bleichenbacher in June.

His mechanism sent messages to a server processing electronic transactions and monitored the error messages that were returned. This gave him some information about what a decrypted message looked like, while he could also garner some information on the secret message itself when an error one was not returned.

Bleichenbacher said around a million messages needed to be sent to a server for success and the hacker would have to be able to screen out other Internet traffic.

Administrators should be alerted by such a massive attack but companies such as Netscape, Microsoft and RSA have put out software patches to fix the specific problem.

The Shoup-Cramer fix

The Shoup-Cramer method is said to thwart any related attacks by adding a series of calculations which ensure the server leaks no information when responding to the messages.

"The game is over as far as cryptography systems being subject to these nasty kinds of attacks," Charles Campbell Palmer, the manager of network security and cryptography at IBM Research told the Reuters news agency.

Bleichenbacher, who had chosen the Public Key Cryptography Standard (PKCS) No.1 protocol for the target of his attack, which is widely used in electronic commerce, agreed that a solution had been found.

Some experts unimpressed

But some at the Crypto 98 conference were unimpressed. Ross Anderson of Cambridge University said there were a number of possible solutions for protecting against "active" attacks.

"The Cramer-Shoup one is fairly expensive as it costs about five times what a more conventional approach would cost," he said.

Another British encryption expert said it was hard to assess the scientists' achievement:

" Sometimes the cure has unanticipated effects which are nastier than the original problem. It's part of a continuing process of discovering weaknesses in, and fixing a plethora of elaborate protocols," he said.

Ethical hacking, carried out by research institutes and companies such as IBM, aims to alert an industry, which still lacks the complete confidence of consumers, to possible security flaws.

Advanced options | Search tips

Back to top | BBC News Home | BBC Homepage | ©

Sci/Tech Contents

Relevant Stories

26 Jun 98 | The Economy
Fatal flaw in Internet business security

20 Feb 98 | Encryption
What is encryption?

Internet Links

Crypto 98

Cryptologist Ross Anderson's home page

IBM announcement

The BBC is not responsible for the content of external internet sites.

In this section

World's smallest transistor

Scientists join forces to study Arctic ozone

Mathematicians crack big puzzle

From Business
The growing threat of internet fraud

Who watches the pilots?

From Health
Cold 'cure' comes one step closer