By Mark Ward
Technology correspondent, BBC News
Many sites use public key cryptography
An attack on a widely used web security system could soon help make silicon chips more powerful and reliable.
Many websites use cryptographic systems to scramble key data, such as credit card numbers, when customers pay.
Scientists have found that by varying the voltage to key parts of a computer's processor, the ability to keep this data secret is compromised.
The researchers also discovered that a method that helps chips beat the attack could also make them more reliable.
Many modern security systems, such as the ones websites use to encrypt the credit card numbers of their customers, are based around a system known as public key cryptography.
This uses two keys, one public and one private, to scramble data. One of the most widely used implementations of this is known as RSA authentication.
"If data is locked with a public key, it can only be unlocked with the corresponding private key," said Professor Todd Austin, from the electrical engineering and computer science department at the University of Michigan who helped conduct the research.
"It's the kind of algorithm you use when you go to a website and you see the little padlock in the lower right hand corner to indicate a secure connection," he said.
The keys take the form of large numbers more than 1,000 digits long. Security is ensured because trying to guess a private number by trying all possible combinations would take longer than the age of the universe, using current computer technology.
Professor Austin, working with Andrea Pellegrini and Professor Valeria Bertacco, found a much quicker route to guessing the keys by varying the voltage to a processor.
"You need to be able to control the voltage to the power source to the device," said Professor Bertacco. "By putting the voltage just below where it should be means the device makes computational mistakes - it suffers temporary transistor failure."
The voltage was varied when a target machine was communicating with another machine via the web and the data flying between the two was encrypted using the public key system.
"It makes one mistake every now and again," she said. "But we need just a few mistakes."
During their test, the three researchers collected 8800 corrupted signatures in 10 hours and then analysed them using software that could call on 81 separate machines to boost its number crunching power.
The end result of the research was an attack method that could extract all the parts of a 1024 bit key in about 100 hours.
Initially, said Professor Bertacco, the work will lead to improvements in the way the public key security system works to make it less susceptible to such an attack. Future versions of the system will be "salted" with fake values to confuse any attempt to reconstruct a private key.
"It's part of the ongoing process of hardening RSA," said Professor Austin.
The implications of the research do not stop at security. It is also helping to produce error correction systems that spot when transistors fail and ensure that data is not corrupted as a result.
Professor Bertacco said the research would be useful when chips are made of even smaller components than those in use today. The widely-known Moore's Law predicts that the number of transistors on a given size of silicon wafer doubles roughly every 18 months.
Often that doubling is due to the transistors on the chip getting smaller. The transistors on Intel's most up to date desktop computers are about 32 nanometres in size.
Intel has said that it expects to soon start producing chips with components 22 and 16nm wide. A nanometre is a billionth of a metre.
However, as components get smaller they can get less reliable and need error checking and correction software to help cope with any errors that get introduced.
"Our mainstream research in this area is to make microchips operate correctly even in the face of transistor failure," she said. "Within 10 years a chip will have transistor failures every day. As transistors get smaller so they are more prone to failure."