According to a recent New York Times article:
A study of a widely used system to provide security for Internet shopping, banking and other services showed that it failed to work correctly in a small number of cases.
The problem appears to be a weakness in the way many cryptographic algorithms generate random numbers. In fact, this has long been known to be a problem in generating keys. Computers are not capable of generating truly random numbers (a weakness that may change when quantum computing goes mainstream); as a result, implementors are forced to rely on methods which generate pseudorandom numbers (i.e., numbers which “look” random, but really aren’t).
Pseudorandom key generation can be effective, if done with much forethought and in line with best practices. Some of the pseudorandom paradigms that have been used in the past (and have been found wanting as far as security is concerned) include:
- Successive digits of the number pi (the ratio of a circle’s circumference to its diameter). Most people don’t remember more than a handful of pi digits from their high-school algebra class; thus, a security implementor can often get away with creating a function which retrieves, say, digits n through m of pi (where n and m are very large numbers, say around a million or so). Hackers, however, do know how to compute arbitrarily high-precision pi values (something made even easier by the profusion of websites displaying such values). Thus, by comparing a key value to strings of digits in pi until a match is found, they can easily predict what the next key value will be (i.e., if the first key was digits n through m, the next key to be generated will be the digits n+(m-n) through m+(m-n).
- Values that are seeded with an integer based on the number of time units (e.g., milliseconds) from a certain base date, as computed from the system clock. The weakness here, of course, is that once the hacker realizes that this method of pseudorandom generation is being used, he/she has a means by which to predict successive keys.
Many other methods have been used - but the thing that all weak methods have in common is some kind of pattern which can be exploited and extrapolated upon in order to facilitate the prediction of future keys.
And since anything generated by a conventional computer is by definition not truly random, there always exists the potential for a bright hacker to break the code.
Thus, the future of cryptography lies with methodologies which incorporate data from outside the computing environment (e.g., utilizing random noise detected outside the computer), as well as with computing paradigms which rely on processes which are inherently random. The latter is a feature of quantum computing - a field still in its infancy - in which certain aspects of the state of electrons (which, according to quantum theory, cannot be measured simultaneously) are used to determine the polarity of bits. For those interested in this field, a Google search brings back many fascinating articles.