SSL Keys Coming Up Short

Netcraft survey shows 15 percent of U.S. servers use RSA keys that are shorter than maximum.

More than 15 percent of the SSL servers in the United States are using short RSA keys that are in danger of being compromised, potentially threatening the data flowing to and from those servers, according to a white paper published last week.

The paper, written by Nicko van Someren, chief technology officer of Ncipher Corp. Ltd., a security equipment vendor based in Cambridge, England, includes a survey of 137,000 Secure Sockets Layer servers done by Netcraft Ltd. The data shows that of the more than 84,000 servers in the United States that support SSL encryption, 15.1 percent use RSA keys shorter than 900 bits, and 84.3 percent use keys between 900 and 1,250 bits long.

The paper also discloses that, as first reported by eWeek last month, a student researcher at Ncipher developed a new implementation of a factoring method known as the GNFS, or General Number Field Sieve, which could be used to factor a 512-bit key in about three weeks using an off-the-shelf server with an Intel Corp. Itanium processor. Previously, this process was thought to be feasible only on much more powerful computers, such as Cray Inc. supercomputers.

"The breaking of 512-bit RSA is easily within reach of any mathematically adept individual with access to the level of computing resources available in most medium-size businesses," van Someren wrote.

SSL is the de facto standard protocol used to encrypt data going to and from Web sites, typically for financial transactions on e-commerce sites. SSL uses RSA keys for authentication of the server to the client and to encrypt the traffic between two parties. Thus, if the RSA key is compromised, an attacker would be able to impersonate the Web site as well as decrypt traffic that he or she could intercept going to or from the site.

"Its potentially a very significant problem," van Someren said. "Its a passive attack. It doesnt require me to inject anything into your traffic. I think [the short keys] are giving people a false sense of security, which, in a sense, is worse than no security."

The United States is by no means the worst offender among industrialized nations, however. According to the Netcraft data, 40 percent of Israels 280 SSL servers use short keys, and more than 49 percent of Taiwans 176 secure servers have keys smaller than 900 bits.

Other cryptographers said van Somerens paper should serve as a wake-up call about the true level of security at e-commerce sites.

"Ever since the first 512-bit number was factored, people have been saying that 512-bit RSA was insecure," said William Whyte, director of cryptographic research and development at Ntru Cryptosystems Inc., based in Burlington, Mass. "Sometimes, it takes something like this to remind people."