Due to a reporting error, the story, "Researchers: Authentication crack could affect millions," posted Thursday, incorrectly described the target of an attack on Internet authentication systems. The attack targets digital signatures used by authentication tokens sent by the browser to prove that the user is logged into the Web site.
The story has been corrected on the wire. The headline now reads:
Researchers: Authentication crack could affect millions
And the fourth and fifth paragraphs have been replaced with:
The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.
By submitting signatures again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct digital signature.
The attack lets someone masquerade as a legitimate Web site user without actually having to log in.