
The Million-Key Question: Investigating the Origins of RSA Public Keys - dc352
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/svenda
======
dc352
A short discussion on my blog: [https://www.dancvrcek.com/re-investigating-
the-origins-of-rs...](https://www.dancvrcek.com/re-investigating-the-origins-
of-rsa-public-keys/)

~~~
tptacek
It seems pretty unlikely that we're ever going to uncover a practical
vulnerability owing to the observations of this paper.

~~~
acqq
Yes, from what I've read, the researchers discovered that the PGP keys were
made by the PGP software and so on.

~~~
schoen
This kind of inference can be interesting, because occasionally people try to
convert a private key from one type to another; for example, there are scripts
to convert a private key between PEM, OpenSSH, and GPG formats so that you can
re-use it for different applications. (One application for this is to use GPG
signatures on public keys to authenticate users and/or servers in SSH.)

So this research might allow someone who didn't already know to recognize more
about where a key came from.

------
misterrobot
"Although RSA factorization is considered to be an NP- hard problem if keys
that fulfil the above conditions are used..."

Isn't this incorrect? The implication would be that quantum computers could
solve NP-Complete problems in polynomial time.

~~~
petrs
Yes, this is an incorrect statement, sorry. It sneaked there after edits by
proofreading service, but that is no excuse for us. Should be just NP. (I'm
one of the authors of the paper)

~~~
misterrobot
Please don't apologize, this is an excellent paper! In retrospect I feel a
little bad for nitpicking, honestly -- it's a really fascinating read :)

------
petrs
You may also try online tool that classifies keys based on the results from
paper: [http://crcs.cz/rsapp/](http://crcs.cz/rsapp/) Just insert encoded
certificate or URL to https server and let tool to tell you what library
generated that key(s).

If you will provide 5 keys all generated by the same library, the correct
library should be within top three most probable sources with high (>95%)
probability.

(if not, please submit feedback :))

------
lisper
This is just one of many reasons one should switch from RSA to ECC.

~~~
dc352
I don't say switching is a bad idea but not sure it would prevent this kind of
attack :)

~~~
tptacek
The secret scalar in ECDH doesn't need to be prime; it's just a random number.

~~~
dc352
ECDH doesn't give you authenticity, i.e., you can't get a certificate for
that.

When you look at ways to generate ECC keys, there are classes of vulnerable
numbers for which you need to test.

~~~
tptacek
Could you be more specific about the "vulnerable numbers" we're talking about?
The curve base point is a parameter for ECDSA as well.

I agree that any protocol that required you to generate curves or even base
points on the fly would have similar concerns, but we generally don't use
those kinds of protocols.

~~~
dc352
My err - rubbish wording as I was thinking primes and talking curves.

Still, while I'm punching here a wee bit above my weight - I should read the
186-4 again - there are some tests to verify the strength of the prime. Is it
enough for a similar classification? - I don't know...

~~~
tptacek
The prime field is part of the definition of the curve. Everyone
interoperating on that curve shares it. It may have been generated weirdly ---
the Curve25519 prime sure was! --- but all that tells you is what curve
they're using.

It's true that the particular curves a system supports could be a kind of
fingerprint, but that's a banal observation, equally true of the ciphers they
support, or the compression algorithms.

~~~
dc352
My last comment was towards key generation, not curves. Bug as I said, I am
not in a position to say what the impact is.

~~~
tptacek
Sorry, I don't follow. Are you talking about key generation in ECC systems?
There's no prime involved there.

------
PhantomGremlin
Oh, to be a fly on the wall at Fort Meade.

Given the thousands of employees the NSA has working on all aspects of
cryptography, there must be countless examples of this type of investigation.
It's integral to traffic analysis and to fingerprinting of cryptosystems.

At least I hope that the NSA does lots of stuff like this. Because if they
don't, what does that leave them doing? If the NSA is simply _evil_ and/or
_incompetent_ , that's not enough ROI for the US taxpayers.

Unfortunately, NSA work probably remains highly classified for so long that an
ex employee would never be able to write about it in technical detail. But I
could be wrong? Are there any Inside Baseball books out there revealing the
inner workings of NSA spooks?

