[LINK] public keys
swilson at lockstep.com.au
Thu Feb 16 04:31:05 AEDT 2012
Fascinating in general, but I also picked up this bit of hypocritical
"What surprised us most is that many thousands of 1024-bit RSA moduli ...
offer no security at all."
Security geeks take lay people (esp. sales & marketing) to task if they
ever suggest that such and such is prefectly secure. Nothing is ever
100% secure. But equally, very few things are 0% secure, as in the
phrase "no security at all".
On 16/02/2012 12:32 AM, stephen at melbpc.org.au wrote:
> "We performed a sanity check of public keys collected on the web.
> Our main goal was to test the validity of the assumption that
> different random choices are made each time keys are generated.
> We found that the vast majority of public keys work as intended.
> A more disconcerting finding is that two out of every one thousand
> RSA moduli that we collected offer no security.
> Our conclusion is that the validity of the assumption is
> questionable and that generating keys in the real world for
> "multiple-secrets" cryptosystems such as RSA is significantly riskier
> than for "single secret" ones such as ElGamal or (EC)DSA based on
> Die-Hellman ..."
> 5 Conclusion
> "We checked the computational properties of millions of public keys
> that we collected on the web. The majority does not seem to su
> from obvious weaknesses and can be expected to provide the expected
> level of security. We found that on the order of 0.003% of public
> keys is incorrect, which does not seem to be unacceptable.
> We were surprised, however, by the extent to which public keys are
> shared among unrelated parties. For ElGamal and DSA sharing is rare,
> but for RSA the frequency of sharing may be a cause for concern.
> What surprised us most is that many thousands of 1024-bit RSA
> moduli, including thousands that are contained in still valid X.509
> certificates, offer no security at all.
> This may indicate that proper seeding of random number generators is
> still a problematic issue (see also Appendix A).." --
> "Flaw Found in an Online Encryption Method"
> Stephen _______________________________________________ Link mailing
> list Link at mailman.anu.edu.au
More information about the Link