Indian helps discover major vulnerability in Net communication
A group of computer scientists led by Karthikeyan Bhargavan, a researcher at France-based INRIA, have discovered a serious vulnerability in the protocols used to encrypt data sent over the Internet.
New York: A group of computer scientists led by Karthikeyan Bhargavan, a researcher at France-based INRIA, have discovered a serious vulnerability in the protocols used to encrypt data sent over the Internet.
The security flaw leaves millions of users who surf the Internet using Apple and Google devices vulnerable to hackers due to a security flaw discovered by Bhargavan, an Indian.
The FREAK attack (Factoring Attack on RSA-EXPORT Keys) is a flaw in Secure-Socket Layer (SSL)/ Transport Layer Security (TLS), a protocol that secures communications over Internet.
The FREAK attack was originally discovered by Bhargavan and a team of researchers at mitLS, which works on providing verified reference implementation of the TLS -- a protocol that provides communications security over the Internet.
The flaw allows cyber criminals or intelligence agencies to break the encryption users are relying on to surf the Net through their HTTPS (Hyper Text transfer Protocol over TLS) and intercept their communication.
Such a situation allows cyber criminals to launch attacks, and extract passwords and personal information of the users.
Cyber security firm Websense said: "The vulnerability, discovered by Karthikeyan Bhargavan and the mitLS team, allows an active attacker to perform a man-in-the-middle attack by downgrading encrypted connection between a vulnerable client and a server that accepts export-grade RSA keys to 512-bits."
The captured key can then be factored using public cloud in a matter of hours and further be used for decryption of communication between the client and the server," it said in a post on Websense Security Labs blog.
"Once the key has been compromised, all personal information including passwords, financial data, etc is at risk," it added.
According to researchers, the issue arose due to an old US government policy in the 1990s, which required software makers in the US to use weaker security in encryption programmes sold to overseas clients on account of national security concerns.
These cryptographic export restrictions placed by the US government have since been eased, but the weak encryption has lingered on in software, they added.
According to Bhargavan's website he is a researcher at INRIA, a research body working on projects combining computer sciences with mathematics.
Bhargavan, a PhD in Computer Science from the University of Pennsylvania, is also a member of the reputed French public institution of higher education and research Ecole Polytechnique.