[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Putting to Rest RSA Key Security Worries
By Eric Chabrow
Bank Info Security
February 20, 2012
IT security practitioners who employ the RSA public-private key
cryptography needn't lose sleep about its efficacy, despite new research
that raises questions on how it creates large prime numbers to generate
secret keys. IT security authority Gene Spafford says.
Information Security Media Group asked the Purdue University computer
science professor to look at a research paper entitled Ron was Wrong,
Whit was Right, which concludes the way the RSA algorithm generates
random numbers to be used in encryption keys could, in rare instances,
make a secret number public. And, that could create a potential
vulnerability that hackers might exploit, the researchers say [see When
99.8% Security May Not Be Sufficient]. We also asked Spafford to
critique a response to the paper from RSA Chief Technologist Sam Curry,
who maintains the problem isn't with the algorithm but how organizations
employ RSA public-key cryptography [see How Encrypted Keys Can Leave Bad
Spafford, in an interview with ISMG, says the exposed keys aren't the
type that would be used by businesses such as financial institutions
that conduct sensitive transactions on the Internet.
What apparently happened is that some smaller organizations created
their own Secure-Socket-Layer public-private-key set using software to
generate random numbers, Spafford says. The smaller organizations may
have used a small set of seed values that would generate the same set of
large prime numbers, he says.
Learn how to be a Pen Tester or a CISSP with Expanding Security online. Get
a free class invitation and see how good and fun the program really is.