Hacker News new | comments | show | ask | jobs | submit login
About the supposed factoring of a 4096 bit RSA key (hboeck.de)
231 points by hachiya on May 17, 2015 | hide | past | web | favorite | 33 comments



It is highly likely that this is the work of a troll.

The RSA subkey that was factored has an invalid self-signature in hpa's public key[1], which means that it wasn't really hpa who added the subkey. Since the sks-keyserver pool doesn't verify signatures[2], anyone could have inserted that subkey. So anyone could have purposefully picked an exploitable RSA subkey, added a fake signature to it, and uploaded it to the sks-keyserver pool.

Luckily, GPG will drop the subkey when retrieving hpa's public key since it doesn't have a valid self-signature. But for anyone scanning all the public keys without verifying signatures (for research, etc.), this key might get recognized and cause a shitstorm. Which is exactly what has happened.

So far, there's no evidence that there is a conspiracy to weaken RSA keys. There is only evidence that someone inserted a bogus subkey into hpa's public key. There will be evidence of a conspiracy if we find a weak RSA key in the strongset that has a valid self-signature.

[1]: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...

[2]: https://lists.gnupg.org/pipermail/gnupg-devel/2015-March/029...


I feel like everyone is being quick to write this off as "some random, harmless error", probably because the focus is that RSA is not broken, rather than asking what this was really about.

"The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key."

I'd be curious to explore that further.

This kernel developer has been targeted in the past:

http://arstechnica.com/security/2013/09/who-rooted-kernel-or...

"During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers."

Edit: The key in question was created the day before this post by HPA regarding the compromise:

https://lwn.net/Articles/460376/


I've been fighting the fight to be more proactive about signature verification, but there's little interest in changing the status quo.

Relevant GPG thread: https://lists.gnupg.org/pipermail/gnupg-users/2015-May/05354...

Relevant SKS thread: https://lists.nongnu.org/archive/html/sks-devel/2015-05/msg0...


If I wanted to poison HPA with a fake key, why would I create a degenerate one? A fake key with strong factors would have gone unnoticed, at least by this analysis.


At first glance, I thought the keys were the same. I'm undecided if this was deliberate or unintentional. If this was unintentional, perhaps by corruption, how likely would the result generate such an easily factorable key?


Random errors likely generate easily factorable keys. Each prime removes 1/N numbers. So 2 removes 1/2 of possible numbers. 3 remove 1/3 of the remaining possible numbers etc. Just 2, 3, 5, 7, 11, 13 remove 80% of possible random numbers.


For anybody who wants to think about how such entry happened, it seems that the difference among the two presented numbers is in exactly 32 bytes (256 bits):

      913ff626efddfb f8ae8f1d40da8d13 a90138686884bad1
    9db776bb4812f7e3 b2

      c37b8cca2eb4ac 1e889d1027bc1ed6 664f3877cd7052c6
    db5567a3365cf7e2 c6
starting from the 162nd byte if I counted correctly, which means the first 5 * 32+1 (or 2 * 80+1) bytes are the same, then 32 bytes differ.

(The "easily factorable" number has two bytes which are represented as "bad1" in hex).

But thinking about the 256 bits, that's exactly the size of a block on which a typical symmetrical cypher can operate, which suggests some kind of a bug, although the offset of 161 byte is a bit strange.

The human would probably just change a few bits to achieve the same effect, not 256, unless he wanted to encode some message, and it doesn't look so. But see also the post of lawnchair_larry here.


The 161 bytes offset might be explained by corruption in an encoded version of the key. 161 bytes in binary data would be ~ 216 chars in base64. With an (unusual) line length of 72 the corruption would start exactly at the 4th line.

But: Mail clients should use 78 chars per text line, and GPG encodes base64 in lines of 64 chars length, so ignore my theory ;-).


Is there any sort of statistical analyses which could give some idea of whether those bits were generated randomly, by a human, or perhaps came from some other key?


They are just 256 bits. And if they come from a cypher they certainly can't be distinguished from the pure random bits or from the bits from any other key.

But if they come from some other key unmodified it would be possible to scan for the match, and it's a fast operation, as soon as we have the keys in which we'd like to search.


I was wondering about the possibility of distinguishing between a human opening a keyfile (I believe they are encoded in base64?) and manually overwriting pieces of it with random rubbish, or something else; humans make very poor RNGs, as anyone who has tried "randomly" mashing a keyboard will notice.


Why the fuck would this be downvoted? You people sometimes...

Edit: further contributing to the discussion, more anonymous downvotes. Great.


Please resist complaining about downvotes, as the site guidelines ask. Most unfairly downvoted comments get corrective upvotes after a while—that's what happened in the GP's case. Comments like this one, though, just add noise.


Fair enough. Apologies.


Or the much simpler counter, anything with a factor of three ain't a 'real' 4096 bit RSA key. Even if it was in use, it would say nothing about RSA. Referring to it as a "4096 bit RSA key" is a red herring.


Also if your modulus ends in A, C, or E you should probably ask for your money back.


It probably also doesn't help that most of the math fails when one of the factors used to generate the key is composite.



Meanwhile, on the original post, the author is acting like HN was tampering with the ranking of the article because it started doing poorly after people realized that a real key wasn't factored:

> "Update II : Amusingly enough, it seems Hacker News hand-diddled their story list to remove this discussion. Way to go Ydumbinator crew!" [0]

[0]: http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-...


It's worth noting that HN does adjust article rankings:

http://www.righto.com/2013/11/how-hacker-news-ranking-really...

Compare the gradual slide from the peak of other articles from the same time as the one in question:

http://hnrankings.info/9560839,9561606,9561693,9561599,95619...

Moderated forums aren't censored, but they do get... moderated. What else did you expect?


Sometimes moderation steps in, but that's not needed most of the time when user flagging exists.


that's pretty much typical of mircea popescu.


Does he have any claim to fame beyond very elaborate trolling? I've been trying to figure out what's up with him recently.


Popescu is waging a pathetic little personal war against FetLife [1]. He's a textbook example of a self-deluded crypto-narcissist who, if there's any justice on this earth, will see his comeuppance. People like him always do.

[1] He's been scraping the profiles of young women (specifically) and posting links, names, and hometowns on his blog. Yes, as technologists, we know that this kind of indexing is trivial. That's no reason, as a decent human being, to terrorize innocent people.


Wealth.

Most of the publicly known early adopters don't spend as much (or any) time trolling about (and getting trolled) on IRC.

http://search.bitcoin-assets.com/?q=from%3Amircea_popescu


Possibly some people have been exposed to mircea through hearing about his insane quotes such as:

  The most you can do, after having been educated/raped, is picking the what and the how for other, later, virgins.
http://trilema.com/2014/patriarchy-is-a-thing-because-nobody...

Or they have read his Guide To Beating Women blog post:

http://trilema.com/2011/cum-se-bate-femeia/

Or perhaps they have read how his site for betting with bitcoin screwed someone over for about $7,000 in bitcoin:

https://bitcointalk.org/index.php?topic=339544.0


Do we know how much he's actually worth?


His >50% MPOE[1] stake is at least 1.4 million coins (valuated by the last trade).

If you're skeptical of numbers on webpages (c.f. "EmptyGox"), MPEx's trivially traceable addresses[2] currently contain around five thousand coins; tracking down the rest is left as an exercise for the skeptical sleth.

[1] http://mpex.ws/?mpsic=S.MPOE

[2] https://www.walletexplorer.com/wallet/MPEx.co


Maybe I'm reading it wrong but according to that there is ~10m shares outstanding at a price of 0.00028btc per share. Doesn't that make it worth around 2800 btc not 2.8m?


We're both wrong. One billion shares, half of which he can't sell:

  CL-USER> (* 1/2 (expt 10 9)
              (parse-float "0.00029087" :type 'rational))
  145435


Oh, and who the hell is paying 50 btc to open an account at mpex?


crickets


[deleted]


[flagged]


Please don't respond to trolls, and especially not by inflaming the thread further.

Instead, please flag trolls' comments by clicking on the timestamp to go to the comment's page, then clicking 'flag'.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: