Lousy Random Numbers Cause Insecure Public Keys
There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost certainly a lousy random number generator used to create those public keys in the first place. This shouldn't come as a surprise. One of the hardest parts of cryptography is random number generation. It's really easy to write a lousy random number generator, and it's not at all obvious that it is lousy. Randomness is a non-functional requirement, and unless you specifically test for it -- and know how to test for it -- you're going to think your cryptosystem is working just fine. (One of the reporters who called me about this story said that the researchers told him about a real-world random number generator that produced just seven different random numbers.) So it's likely these weak keys are accidental. It's certainly possible, though, that some random number generators have been deliberately weakened. The obvious culprits are national intelligence services like the NSA. I have no evidence that this happened, but if I were in charge of weakening cryptosystems in the real world, the first thing I would target is random number generators. They're easy to weaken, and it's hard to detect that you've done anything. Much safer than tweaking the algorithms, which can be tested against known test vectors and alternate implementations. But again, I'm just speculating here. What is the security risk? There's some, but it's hard to know how much. We can assume that the bad guys can replicate this experiment and find the weak keys. But they're random, so it's hard to know how to monetize this attack. Maybe the bad guys will get lucky and one of the weak keys will lead to some obvious way to steal money, or trade secrets, or national intelligence....
Source: Schneier on Security - Thursday, 16 February
Related articles:
- Less than a few days ago
- 1Vote! Put Your Keyboard's Unused Keys to Use (by Turning Them into Awesome Shortcuts)
Lifehacker - 3 days ago
- Older News
- 1Vote! Upgrade Your Memory: How to Quickly Memorize Lists
- 7Vote! With random lasers, Yale researchers fight random noise, improve imaging
PhysOrg - Monday, 30 April
- 5Vote! Invisible Infrared LED Geocache Box
Hacked Gadgets - Sunday, 15 April
- 4Vote! The Fastest-Ever Random Number Generator Conjures Digits from Subatomic Noise in a Vacuum
PopSci.com - Science - Wednesday, 11 April
- 6Vote! Utah breach affects 25,000 Social Security numbers
- 1Vote! Online passwords are insecure: study
- 7Vote! The Security of Multi-Word Passphrases
Schneier on Security - Tuesday, 13 March
- 3Vote! How to question numbers
SciDev.Net - Thursday, 8 March - 11Vote! Libraries protest Random House price hike
- 7Vote! O2 accidentally exposes customers' phone numbers
- 17Vote! FPGA based prime number generator for RSA encryption
Embedds.com - Thursday, 22 December
- 10Vote! Video: Random noise helps make signals clearer
LabSpaces - Tuesday, 6 December
- 16Vote! Random noise helps make signals clearer
- 10Vote! Conveniently Hang Nearly Anything with Legos and Sugru
- 10Vote! Rare Good News for Beleaguered Florida Keys Corals
(LiveScience.com)
Yahoo Science News - Tuesday, 15 November, 2011
- 8Vote! Why Asteroids Make Lousy Space Weapons
Space.com - Friday, 4 November, 2011
- 14Vote! Studying random structures with confetti
- 21Vote! Book Review : Cosmic Numbers: The Numbers That Define Our Universe by James D. Stein
ScienceNews - Friday, 7 October, 2011
- 22Vote! Make Your Own QR Code Key Fob to Help Retrieve Lost Keys
