Slashdot Mirror

← Back to Stories (view on slashdot.org)

Factorable Keys: Twice As Many, But Half As Bad

Posted by Unknown on from the keep-on-factoring dept.

J. Alex Halderman and Nadia Heninger write in with an update to yesterday's story on RSA key security: "Yesterday Slashdot posted that RSA keys are 99.8% secure in the real world. We've been working on this concurrently, and as it turns out, the story is a bit more complicated. Those factorable keys are generated by your router and VPN, not bankofamerica.com. The geeky details are pretty nifty: we downloaded every SSL and SSH keys on the internet in a few days, did some math on 100 million digit numbers, and ended up with 27,000 private keys. (That's 0.4% of SSL keys in current use.) We posted a long blog post summarizing our findings over at Freedom to Tinker."

3 of 40 comments (clear)

  1. Dont these keys change often? How would you match? by Kenja · · Score: 5, Insightful

    So how do you go about matching one of the keys that you guessed and a specific users session? What's more, how do you do that before the key changes? I can guess a password is "fishmonkeywrinkles", but without a matching account that wont do much good.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  2. Re:slashdotted by WrongSizeGlass · · Score: 1, Insightful

    All I see is a wall of text.

    Apparently what you pay for to get past the 'pay wall' is the line feeds.

  3. Not a flaw in the crypto by Anonymous Coward · · Score: 2, Insightful

    FTA:

    For the system to provide security, however, it is essential that the secret prime numbers be generated randomly. The researchers discovered that in a small but significant number of cases, the random number generation system failed to work correctly.

    So it's the faulty implementations that we need to worry about. The foundation itself is still strong.