Crypto Keys At Risk

More than 15 percent of all of the SSL servers in the U.S. are using unnecessarily short RSA keys that are in danger of comprise, potentially threatening all of the data flowing to and from those servers

More than 15 percent of all of the SSL servers in the U.S. are using unnecessarily short RSA keys that are in danger of comprise, potentially threatening all of the data flowing to and from those servers, according to a new white paper due to be published next week.

The paper, written by Nicko van Someren, CTO of nCipher Corp., a security equipment vendor based in Cambridge, England, includes an analysis of a survey of 137,000 SSL servers done by Netcraft Ltd. The data show that of the more than 84,000 servers in the U.S. that support Secure Socket Layer (SSL) encryption, 15.1 percent use RSA keys shorter than 900 bits, and 84.3 percent use keys between 900 and 1250 bits.

The paper also discloses that, as first reported by eWEEK last month, a student researcher at nCipher recently developed a new implementation of a factoring method known as the General Number Field Sieve, or GNFS, which could be used to factor a 512-bit key in about three weeks using an off-the-shelf server with an Intel Corp. Itanium processor. The calculations the student performed using the server are the second phase of the GNFS method.

Previously, this process was thought to be feasible only on much more powerful computers, such as Cray supercomputers.

"So the breaking of 512-bit RSA is easily within reach of any mathematically adept individual with access to the level of computing resources available in most medium-sized businesses," van Someren wrote. "This does not represent a very high barrier for a determined attacker."

Much of the reason that many sites continue to use short keys has to do with the history of SSL itself. When Netscape Corp. developed the protocol in the mid-1990s, the U.S. government decreed that it could only be sold overseas if it used keys of 512 bits or less. The government has since relaxed those restrictions, but many sites have stuck with their original certificates rather than upgrading.

"Its so easy to fix," said van Someren. "I think its just inertia. Part of it is that browsers will show the length of the symmetric key [used during the key-exchange process], but dont say anything about the RSA key, so people have no idea."

SSL is the de facto standard protocol used to encrypt data going to and from Web sites, typically for financial transactions on e-commerce sites. Support for the protocol is built into every commercial Web browser and virtually every Web site that accepts payment electronically uses SSL.

SSL uses RSA keys both for authentication of the server to the client and to encrypt the traffic between the two parties. Thus, if the RSA key is ever compromised, an attacker would not only be able to impersonate the trusted Web site, but he would also be able to decrypt any traffic that he could intercept going to or from the site.

"Its potentially a very significant problem," van Someren said. "Its a passive attack. It doesnt require me to inject anything into your traffic. I think [the short keys] are giving people a false sense of security, which in a sense is worse than no security."

The U.S. is by no means the worst offender among industrialized nations, however. According to the Netcraft data, 40 percent of Israels 112 SSL servers use short keys, and more than 49 percent of Taiwans 176 secure servers have keys smaller than 900 bits.

Other cryptographers say van Somerens paper should serve as a wakeup call about the true level of security at e-commerce sites.

"Ever since the first 512-bit number was factored, people have been saying that 512-bit RSA was insecure," said William Whyte, director of cryptographic research and development at Ntru Cryptosystems Inc., based in Burlington, Mass. "Sometimes it takes something like this to remind people."