Researchers have uncovered a flaw in the encryption system widely used for online services such as banking, email and shopping, which means the encryption keys used are not as secure as first thought.
The researchers, from universities in Europe and the US, discovered that nearly four in every thousand public encryption keys offer no security for their users.
The flaw came to light by analysing more than seven million public keys which are used to secure online transactions, email messages and other web services.
The researchers discovered that a flaw in the process for generating random prime numbers – a critical component of the public key encryption – resulted in thousands of public keys sharing common prime numbers.
"What surprised us most is that many thousands of 1024-bit RSA moduli, including thousands that are contained in still valid X.509 certificates, offer no security at all," the research paper states.
The problem also appeared in keys developed by more than one software developer, suggesting that it is potentially widespread.
The researchers were due to present their findings at a cryptography conference later this year, but have made the details public because of the security risks.
Public key encryption is supposed to work by generating two large random prime numbers. The product of these numbers is used to create a public key, which can be used to encrypt a message. Only the person with the original prime numbers should be able to decode that message.
But if the numbers being generated are not truly random, as the researchers have shown happens, it may be possible for others to decrypt messages.