Slashdot Mirror


Factorable Keys: Twice As Many, But Half As Bad

J. Alex Halderman and Nadia Heninger write in with an update to yesterday's story on RSA key security: "Yesterday Slashdot posted that RSA keys are 99.8% secure in the real world. We've been working on this concurrently, and as it turns out, the story is a bit more complicated. Those factorable keys are generated by your router and VPN, not bankofamerica.com. The geeky details are pretty nifty: we downloaded every SSL and SSH keys on the internet in a few days, did some math on 100 million digit numbers, and ended up with 27,000 private keys. (That's 0.4% of SSL keys in current use.) We posted a long blog post summarizing our findings over at Freedom to Tinker."

1 of 40 comments (clear)

  1. Dont these keys change often? How would you match? by Kenja · · Score: 5, Insightful

    So how do you go about matching one of the keys that you guessed and a specific users session? What's more, how do you do that before the key changes? I can guess a password is "fishmonkeywrinkles", but without a matching account that wont do much good.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"