Fox-IT Completes the Picture On the Factored RSA-512 Keys

An anonymous reader sends in this excerpt from the Fox-IT blog: "During recent weeks we have observed several interesting publications which have a direct relation to an investigation we worked on recently. On one hand there was a Certificate Authority being revoked by Mozilla, Microsoft and Google (Chrome), on the other hand there was the disclosure of a malware attack by Mikko Hypponen (FSecure) using a government issued certificate signed by the same Certificate Authority. That case, however, is not self-contained, and a whole range of malicious software had been signed with valid certificates. The malicious software involved was used in targeted attacks focused on governments, political organizations and the defense industry. The big question is, of course, what happened, and how did the attackers obtain access to these certificates? We will explain here in detail how the attackers have used known techniques to bypass the Microsoft Windows code signing security model."

Hopefully this shuts up the certificate freaks.

For years now there have been some very vocal "security experts" who repeatedly trumpet how certificates and digital signatures somehow solve all security woes. Of course this isn't true, and we've tried to tell them this, but they refuse to listen.

Hopefully these recent incidents will shut them up once and for all. Certificates are nothing more than yet another tool in our security toolbox. To elevate them beyond this is a stupid thing to do, as these incidents rightfully show.

At the very least, I hope it makes these certificate freaks think twice before they recommend using certificates to solve some sort of a security problem.

Short answer

[Baloroth]

RSA-512 is weak, can be factored in a few weeks (according to a comment, a couple days), and should never be used. All certificates should have CRL entries. Also, the Fox-IT International Blog writer needs English grammar courses.

Re:Short answer

[Forbman]

"Onze visie op de eigen slagkracht van de overheid" ...which translates to:

"Drink more Ovaltine".

Re:Short answer

[Kjella]

That means RSA-1024 is a huge bargain for the user -- significant improvement in short-term security for the user compared to using RSA-512, for only 2x the amount of CPU resources.

Shame on whoever modded this up. The main calculation in RSA is a^b mod n, with n being the 512/1024 bit integer. Most implementations will scale with O(n^2), certainly never O(n). That said, even a 2048 bit key should be done in a few microseconds and there's no real reason not to do it proper. Remember that you generally you make a digest and just do one RSA operation to sign/verify it. When used for SSL you encrypt/decrypt a symmetric key then use AES for bulk encryption, again doing just one RSA operation. Of course if you got hundreds or thousands of connections per second that might be an issue, but normally it should not be.

Re:Short answer

[FrankSchwab]

I agree with you, Kjella.

The 48 MHz, ARM-7-like processor in our ASIC can do an RSA-2048 operation in 3-4 seconds. The 3000 MHz, 64-bit, OOE, multi-issue, TLA-up-the-Wazoo processor in the average $400 laptop should be able to do it in 3-4 milliseconds (http://www.cryptopp.com/benchmarks.html).

There is no reason not to be using RSA-2048 on the desktop. On a Webserver getting hit by millions, the 6-8x increase in CPU times is going to start getting noticeable. /frank