[LINK] public keys

stephen at melbpc.org.au stephen at melbpc.org.au
Thu Feb 16 00:32:36 AEDT 2012



"We performed a sanity check of public keys collected on the web. 

Our main goal was to test the validity of the assumption that
different random choices are made each time keys are generated.

We found that the vast majority of public keys work as intended. 

A more disconcerting finding is that two out of every one thousand
RSA moduli that we collected offer no security.

Our conclusion is that the validity of the assumption is questionable
and that generating keys in the real world for "multiple-secrets"
cryptosystems such as RSA is significantly riskier than for "single
secret" ones such as ElGamal or (EC)DSA based on Die-Hellman ..."

5 Conclusion

"We checked the computational properties of millions of public keys
that we collected on the web. The majority does not seem to suer
from obvious weaknesses and can be expected to  provide the
expected level of security. We found that on the order of 0.003% of
public keys is incorrect, which does not seem to be unacceptable. 

We were surprised, however, by the extent to which public keys are
shared among unrelated parties. For ElGamal and DSA sharing is
rare, but for RSA the frequency of sharing may be a cause for concern.

What surprised us most is that many thousands of 1024-bit RSA moduli,
including thousands that are contained in still valid X.509 certificates,
offer no security at all. 

This may indicate that proper seeding of random number generators is
still a problematic issue (see also Appendix A).."

"Flaw Found in an Online Encryption Method"



More information about the Link mailing list