Factorable Keys: Twice As Many, But Half As Bad
J. Alex Halderman and Nadia Heninger write in with an update to yesterday's story on RSA key security: "Yesterday Slashdot posted that RSA keys are 99.8%
secure in the real world. We've been working on this
concurrently, and as it turns out, the story is a bit more
complicated. Those factorable keys are generated by your router and
VPN, not bankofamerica.com. The geeky details are pretty nifty: we
downloaded every SSL and SSH keys on the internet in a few days, did
some math on 100 million digit numbers, and ended up with 27,000
private keys. (That's 0.4% of SSL keys in current use.) We posted a
long
blog post summarizing our findings over at Freedom to Tinker."
So how do you go about matching one of the keys that you guessed and a specific users session? What's more, how do you do that before the key changes? I can guess a password is "fishmonkeywrinkles", but without a matching account that wont do much good.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"