RSA Denies X.509 Public Key Algorithm Weakness Is A Flaw

Security vendor RSA has denied there is a flaw with the algorithm for its X.509 public-key certificates, arguing that any problems stem from poor implementation pf the technology.

The company issued its response to Swiss researchers who claimed a smaller number of RSA public encryption keys offered “no security at all”. The team is based at L’École Polytechnique Fédérale de Lausanne but were led by James Hughes, an independent cryptology expert based in Palo Alto, California, and Arjen Lenstra, a Dutch mathematician who teaches at the polytechnic.

A small number

The researchers analysed 7.1 million RSA encryption keys and found that 0.02 percent of them were improperly generated, suggesting that they could be cracked by relatively simple means and might already be compromised. Although such a smaller number were found to be flawed, the researchers pointed out that this still means 12,000 keys could be a security risk.

These keys are used to encrypt everything from bank transfers to Gmail accounts and work by generating random prime numbers which pass through the encryption algorithm. Prime numbers are particularly hard for even a superfast processor to digest and a hacker would have a difficult time trying to figure them out but the problem relates to the fact the numbers used “aren’t random enough”.

The researchers, who thankfully did not publish their methodology so hackers could use it, said that a smart enough hacker would be able to detect the patterns behind the numbers.

Proper implementation

RSA responded by saying that the “exploding” number of Internet-connected devices were to blame and that the researcher’s findings pointed out the importance of proper implementation, rather than it being a problem with the algorithm.

“We welcome this form of research into security technologies in general, as it contributes to better overall security for everyone,” said RSA, a division of EMC, in a statement. “The RSA algorithm has withstood such scrutiny for decades from multiple sources. But good cryptography, including RSA’s, depends on proper implementation.

“True random number generation underpins nearly all cryptographic algorithms and protocols, and must be performed with care to protect against the weakening of well-designed cryptography,” the company added.

Previous breaches

In January, 2010, security researchers were able to crack RSA’s 768-bit encryption which is used to protect data in transit, while in March, 2011, it acknowledged that it had been targeted by an “extremely sophisticated” attack that led to information about its SecurID two-factor authentic products being stolen.

It later blamed a “nation state” for the attacks and, in June last year, it offered to replace SecurID identification tokens for certain customers following the suspected use of SecurID data in an attack on US military contractor Lockheed Martin.

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago