
About the supposed factoring of a 4096 bit RSA key - hachiya
https://blog.hboeck.de/archives/872-About-the-supposed-factoring-of-a-4096-bit-RSA-key.html
======
diafygi
It is highly likely that this is the work of a troll.

The RSA subkey that was factored has an invalid self-signature in hpa's public
key[1], which means that it wasn't really hpa who added the subkey. Since the
sks-keyserver pool doesn't verify signatures[2], anyone could have inserted
that subkey. So anyone could have purposefully picked an exploitable RSA
subkey, added a fake signature to it, and uploaded it to the sks-keyserver
pool.

Luckily, GPG will drop the subkey when retrieving hpa's public key since it
doesn't have a valid self-signature. But for anyone scanning all the public
keys without verifying signatures (for research, etc.), this key might get
recognized and cause a shitstorm. Which is exactly what has happened.

So far, there's no evidence that there is a conspiracy to weaken RSA keys.
There is only evidence that someone inserted a bogus subkey into hpa's public
key. There will be evidence of a conspiracy if we find a weak RSA key in the
strongset that has a valid self-signature.

[1]:
[https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...](https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-
hpa-pub-json-L490)

[2]: [https://lists.gnupg.org/pipermail/gnupg-
devel/2015-March/029...](https://lists.gnupg.org/pipermail/gnupg-
devel/2015-March/029606.html)

------
lawnchair_larry
I feel like everyone is being quick to write this off as "some random,
harmless error", probably because the focus is that RSA is not broken, rather
than asking what this was really about.

 _" The only case where this could matter would be a broken implementation of
the OpenPGP key protocol that does not check if subkeys really belong to a
master key."_

I'd be curious to explore that further.

This kernel developer has been targeted in the past:

[http://arstechnica.com/security/2013/09/who-rooted-kernel-
or...](http://arstechnica.com/security/2013/09/who-rooted-kernel-org-servers-
two-years-ago-how-did-it-happen-and-why/)

 _" During that time, attackers were able to monitor the activities of anyone
using the kernel.org servers known as Hera and Odin1, as well as personal
computers belonging to senior Linux developer H. Peter Anvin. The self-
injecting rootkit known as Phalanx had access to a wealth of sensitive data,
possibly including private keys used to sign and decrypt e-mails and remotely
log in to servers. A follow-up advisory a few weeks later opened the
possibility that still other developers may have fallen prey to the
attackers."_

Edit: The key in question was created _the day before_ this post by HPA
regarding the compromise:

[https://lwn.net/Articles/460376/](https://lwn.net/Articles/460376/)

~~~
tedunangst
If I wanted to poison HPA with a fake key, why would I create a degenerate
one? A fake key with strong factors would have gone unnoticed, at least by
this analysis.

------
acqq
For anybody who wants to think about how such entry happened, it seems that
the difference among the two presented numbers is in exactly 32 bytes (256
bits):

    
    
          913ff626efddfb f8ae8f1d40da8d13 a90138686884bad1
        9db776bb4812f7e3 b2
    
          c37b8cca2eb4ac 1e889d1027bc1ed6 664f3877cd7052c6
        db5567a3365cf7e2 c6
    

starting from the 162nd byte if I counted correctly, which means the first 5 *
32+1 (or 2 * 80+1) bytes are the same, then 32 bytes differ.

(The "easily factorable" number has two bytes which are represented as "bad1"
in hex).

But thinking about the 256 bits, that's exactly the size of a block on which a
typical symmetrical cypher can operate, which suggests some kind of a bug,
although the offset of 161 byte is a bit strange.

The human would probably just change a few bits to achieve the same effect,
not 256, unless he wanted to encode some message, and it doesn't look so. But
see also the post of lawnchair_larry here.

~~~
userbinator
Is there any sort of statistical analyses which could give some idea of
whether those bits were generated randomly, by a human, or perhaps came from
some other key?

~~~
acqq
They are just 256 bits. And if they come from a cypher they certainly can't be
distinguished from the pure random bits or from the bits from any other key.

But if they come from some other key unmodified it would be possible to scan
for the match, and it's a fast operation, as soon as we have the keys in which
we'd like to search.

~~~
userbinator
I was wondering about the possibility of distinguishing between a human
opening a keyfile (I believe they are encoded in base64?) and manually
overwriting pieces of it with random rubbish, or something else; humans make
very poor RNGs, as anyone who has tried "randomly" mashing a keyboard will
notice.

------
Dylan16807
Or the much simpler counter, anything with a factor of three ain't a 'real'
4096 bit RSA key. Even if it was in use, it would say nothing about RSA.
Referring to it as a "4096 bit RSA key" is a red herring.

~~~
logicallee
Also if your modulus ends in A, C, or E you should probably ask for your money
back.

------
undata
[https://news.ycombinator.com/item?id=9560790](https://news.ycombinator.com/item?id=9560790)

------
timothya
Meanwhile, on the original post, the author is acting like HN was tampering
with the ranking of the article because it started doing poorly after people
realized that a real key wasn't factored:

> _" Update II : Amusingly enough, it seems Hacker News hand-diddled their
> story list to remove this discussion. Way to go Ydumbinator crew!"_ [0]

[0]: [http://trilema.com/2015/full-disclosure-4096-rsa-key-in-
the-...](http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-
strongset-factored/)

~~~
Adlai
It's worth noting that HN does adjust article rankings:

[http://www.righto.com/2013/11/how-hacker-news-ranking-
really...](http://www.righto.com/2013/11/how-hacker-news-ranking-really-
works.html)

Compare the gradual slide from the peak of other articles from the same time
as the one in question:

[http://hnrankings.info/9560839,9561606,9561693,9561599,95619...](http://hnrankings.info/9560839,9561606,9561693,9561599,9561920,9560426,9560904,9560790,9561920/)

Moderated forums aren't censored, but they do get... moderated. What else did
you expect?

~~~
Dylan16807
Sometimes moderation steps in, but that's not needed most of the time when
user flagging exists.

