[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Putting to Rest RSA Key Security Worries


By Eric Chabrow
Bank Info Security
February 20, 2012

IT security practitioners who employ the RSA public-private key cryptography needn't lose sleep about its efficacy, despite new research that raises questions on how it creates large prime numbers to generate secret keys. IT security authority Gene Spafford says.

Information Security Media Group asked the Purdue University computer science professor to look at a research paper entitled Ron was Wrong, Whit was Right, which concludes the way the RSA algorithm generates random numbers to be used in encryption keys could, in rare instances, make a secret number public. And, that could create a potential vulnerability that hackers might exploit, the researchers say [see When 99.8% Security May Not Be Sufficient]. We also asked Spafford to critique a response to the paper from RSA Chief Technologist Sam Curry, who maintains the problem isn't with the algorithm but how organizations employ RSA public-key cryptography [see How Encrypted Keys Can Leave Bad Taste].

Spafford, in an interview with ISMG, says the exposed keys aren't the type that would be used by businesses such as financial institutions that conduct sensitive transactions on the Internet.

What apparently happened is that some smaller organizations created their own Secure-Socket-Layer public-private-key set using software to generate random numbers, Spafford says. The smaller organizations may have used a small set of seed values that would generate the same set of large prime numbers, he says.


Learn how to be a Pen Tester or a CISSP with Expanding Security online. Get
a free class invitation and see how good and fun the program really is.