
2nd crypto vulnerability today: 1024- and 2048-bit RSA keys are factorizable - tdrnd
https://twitter.com/dangoodin001/status/919798487776034817
======
dang
Since there's no there there yet, and (as others pointed out) the title is
misleading, I have buried this submission.

On HN there's no harm in waiting until a thing actually happens. Matter of
fact it's preferable.

~~~
0x0
I don't know about that, I think getting an early warning that something might
affect "all" SSH keys or PGP keys or SSL certificates is quite useful even
though no specifics are out yet. It makes it easier to plan for an eventual
emergency re-keying effort this afternoon.

------
y7
Note the full tweet (that comes without any further info, so is this even
worth discussing right now?) says:

> A 2nd major crypto vulnerability being disclosed Monday involves millions of
> 1024- and 2048-bit RSA keys that are practically factorizable.

This doesn't mean all 1024- and 2048-bit RSA keys are vulnerable, just that
there is some collection of millions of them that are (e.g. due to bad
randomness re-using a lot of prime factors, see for example [1]).

1:
[https://eprint.iacr.org/2016/515.pdf](https://eprint.iacr.org/2016/515.pdf)

------
shpx
[https://arstechnica.com/information-
technology/2017/10/crypt...](https://arstechnica.com/information-
technology/2017/10/crypto-failure-cripples-millions-of-high-security-
keys-750k-estonian-ids/)

"The flaw resides in the Infineon-developed RSA Library version v1.02.013,
specifically within an algorithm it implements for RSA primes generation. The
library allows people to generate keys with smartcards rather than with
general-purpose computers

...

While costs and times vary for each vulnerable key, the worst case for a
2048-bit one would require no more than 17 days and $40,300 using a
1,000-instance machine on Amazon Web Service and $76 and 45 minutes to
factorize an affected 1024-bit key. On average, it would require half the cost
and time to factorize the affected keys. All that's required is passing the
public key through an extension of what's known as Coppersmith's Attack."

------
detaro
The wording "millions of ..." makes it sound like a big key generation bug,
not a fundamental breakthrough in cracking all keys (like the HN submission
title suggests)?

------
kekebo
There's one article on Google News when searching for RSA:

[https://www.bleepingcomputer.com/news/security/tpm-
chipsets-...](https://www.bleepingcomputer.com/news/security/tpm-chipsets-
generate-insecure-rsa-keys-multiple-vendors-affected/)

------
raverbashing
Wonder if they were generated with a deficient method or it is a family that
can be more easily factorized

------
ch0wn
Here is some information about affected Yubikeys:
[https://www.yubico.com/keycheck/](https://www.yubico.com/keycheck/)

------
julian_1
What does, "practically factorizable" mean?

~~~
dogma1138
That it’s feasible to factorize those keys with current computional capacity.

------
0x0
So do we have to rotate all SSH keys today as well?

~~~
majewsky
I don't know about you, but I changed to 4096-bit RSA keys a few years ago.
[1] Depending on the content of the advisory, this may very well be the day to
switch to Ed25519 keys.

[1] To be precise, during the 31C3, in the presentation about the Snowden
revelations where they listed all protocols and key sizes that are to be
considered compromised. RSA-2048 was not on that list as far as I remember,
but too close for my peace of mind.

------
chowyuncat
Are any Nitrokey products affected?

