Cambridge researchers claim to have uncovered a serious weakness in the security systems that protect many banking and e-commerce transactions.
Michael Bond and Richard Clayton, two PhD students at the University of Cambridge's computer laboratory, used off-the-shelf hardware and specially-developed software to access the encryption keys which prevent eavesdroppers from listening in to sensitive information such as credit card numbers or cash machine PINs.
The encryption keys are held on devices called cryptoprocessors. The physical security of these devices is validated by a US government agency but their software is not.
"The computer companies which manufacture cryptoprocessors are going to have to go back to their drawing boards - their software looks plausibly secure but it's not," says Bond.
"We've changed the threat model by several orders of magnitude," claims Clayton. "A crooked bank manager could duplicate our work on a Monday and be off to Bermuda by Wednesday afternoon."
The weaknesses uncovered by Bond and Clayton are in the cryptoprocessors' application programming interface (API), the software toolset for handling encryption keys. Bond and Clayton claim they were able to extract ultra-secure "Triple DES" keys from an IBM 4758 cryptoprocessor which had previously been thought to be invulnerable.
Full details of the attack, along with copies of the programs used have been placed on the Web at http://www.cl.cam.ac.uk/~rnc1/descrack/. According to Bond and Clayton, with these programs (and $995 for the Altera board Clayton used to build his device) enthusiasts of any age could duplicate the researchers' work.