Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Networking

    Crypto Keys At Risk

    By
    Dennis Fisher
    -
    April 5, 2002
    Share
    Facebook
    Twitter
    Linkedin

      More than 15 percent of all of the SSL servers in the U.S. are using unnecessarily short RSA keys that are in danger of comprise, potentially threatening all of the data flowing to and from those servers, according to a new white paper due to be published next week.

      The paper, written by Nicko van Someren, CTO of nCipher Corp., a security equipment vendor based in Cambridge, England, includes an analysis of a survey of 137,000 SSL servers done by Netcraft Ltd. The data show that of the more than 84,000 servers in the U.S. that support Secure Socket Layer (SSL) encryption, 15.1 percent use RSA keys shorter than 900 bits, and 84.3 percent use keys between 900 and 1250 bits.

      The paper also discloses that, as first reported by eWEEK last month, a student researcher at nCipher recently developed a new implementation of a factoring method known as the General Number Field Sieve, or GNFS, which could be used to factor a 512-bit key in about three weeks using an off-the-shelf server with an Intel Corp. Itanium processor. The calculations the student performed using the server are the second phase of the GNFS method.

      Previously, this process was thought to be feasible only on much more powerful computers, such as Cray supercomputers.

      “So the breaking of 512-bit RSA is easily within reach of any mathematically adept individual with access to the level of computing resources available in most medium-sized businesses,” van Someren wrote. “This does not represent a very high barrier for a determined attacker.”

      Much of the reason that many sites continue to use short keys has to do with the history of SSL itself. When Netscape Corp. developed the protocol in the mid-1990s, the U.S. government decreed that it could only be sold overseas if it used keys of 512 bits or less. The government has since relaxed those restrictions, but many sites have stuck with their original certificates rather than upgrading.

      “Its so easy to fix,” said van Someren. “I think its just inertia. Part of it is that browsers will show the length of the symmetric key [used during the key-exchange process], but dont say anything about the RSA key, so people have no idea.”

      SSL is the de facto standard protocol used to encrypt data going to and from Web sites, typically for financial transactions on e-commerce sites. Support for the protocol is built into every commercial Web browser and virtually every Web site that accepts payment electronically uses SSL.

      SSL uses RSA keys both for authentication of the server to the client and to encrypt the traffic between the two parties. Thus, if the RSA key is ever compromised, an attacker would not only be able to impersonate the trusted Web site, but he would also be able to decrypt any traffic that he could intercept going to or from the site.

      “Its potentially a very significant problem,” van Someren said. “Its a passive attack. It doesnt require me to inject anything into your traffic. I think [the short keys] are giving people a false sense of security, which in a sense is worse than no security.”

      The U.S. is by no means the worst offender among industrialized nations, however. According to the Netcraft data, 40 percent of Israels 112 SSL servers use short keys, and more than 49 percent of Taiwans 176 secure servers have keys smaller than 900 bits.

      Other cryptographers say van Somerens paper should serve as a wakeup call about the true level of security at e-commerce sites.

      “Ever since the first 512-bit number was factored, people have been saying that 512-bit RSA was insecure,” said William Whyte, director of cryptographic research and development at Ntru Cryptosystems Inc., based in Burlington, Mass. “Sometimes it takes something like this to remind people.”

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×