RSA crypto: 'flawed', 'risky', 'quagmire of vulnerabilities'

A group of six academic researchers have concluded that real-world RSA encryption keys are riskier than Diffie-Hellman-based ones. It seems that some of the random numbers used to generate them weren't, errm, random. In IT Blogwatch, bloggers wonder if the sky is falling.

By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How to Meet Girls Who Like Star Trek...

    Ellen Messmer reports:

The researchers...note in the paper that they found a...high number of duplicate secret keys. ... [In] an examination of 6.4 million distinct X.509 certificates and PGP keys...71,052 (1%) occur more than once, some of them thousands of times.

...

The researchers summarized their findings by saying..."two out of every one thousand...offer no security." ... They also said their research showed that crypto...based on Diffie-Hellman, is less risky than [those] based on RSA.   
M0RE

    John Markoff adds:

The potential danger of the flaw is that...confidence in the security of Web transactions is reduced. ... The system requires that a user first create...the product of two large prime numbers...[but] it is essential that the secret prime numbers be generated randomly...in a small but significant number of cases, the random number generation system failed.

...

The researchers whimsically titled their paper “Ron Was Wrong, Whit Is Right,” a reference to...Ron Rivest and Whitfield Diffie.   
M0RE

Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung and Christophe Wachter conclude thus:

Our main goal was to test...the assumption that different random choices are made [when] keys are generated. ... Our conclusion is that the validity of the assumption is questionable.

...

[G]enerating keys...for "multiple-secrets'" cryptosystems such as RSA is...riskier than for "single-secret'" ones...based on Diffie-Hellman.   
M0RE

Aaron "Spykk" McRae sounds worried:

If...you could derive the secret key from the public key then...the key is worse than no security at all. Public keys are, by definition...available to the public at large.

...

The false sense of security presented by encrypting something with one of these ... would make them very dangerous indeed.   
M0RE

And Eric "omnifarious" Hopper says "This is pretty bad":

  1. You scoop up all the public keys you can find. ...
  2. You run [euclid's] GCD on each pair.
  3. You find they share a common factor. ... Both keys are now...compromised.   
    M0RE

But Dan Kaminsky calls the conclusion "strange":

This is a mostly great paper, with lots of solid data. ... But there’s just no way we [can] get...to the thesis that surrounds it.

...

On the most basic level, risk...is utterly dominated, not by cipher selection, but by key management. ... What the data from this survey says...is that most keys...have no provenance that can be trusted. ... Diffie himself has said [that this] is The Hard Problem now for cryptography.

...

Whether you use RSA or DSA or ECDSA, that differential risk is utterly dwarfed by [that of] key management...[yet] the paper is specifically arguing for one technology over another. ... There’s no security differential if there was no security to begin with.   
M0RE

   And Finally...
How to Meet Girls Who Like Star Trek

[hat tip: Roddenberry]

  
 
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch, for which he has won ASBPE and Neal awards. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2012 IDG Communications, Inc.

  
Shop Tech Products at Amazon