[Discuss] The RSA Keying links

[bill.n1vux at gmail.com (Bill Ricker)]

 Study #1

*"Ron was wrong, Whit is right"*

*Arjen K. Lenstra and James P. Hughes and Maxime Augier and Joppe W. Bos
and Thorsten Kleinjung and Christophe Wachter*

Abstract http://eprint.iacr.org/2012/064/
Paper (short form) http://eprint.iacr.org/2012/064.pdf

Reported in NYT as
http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=2&hp=&pagewanted=all.


Good quick overview *
http://arstechnica.com/business/news/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security.ars
*

but ...

*Study #2** **IT MAY BE LARGELY VPN/EMBEDDED ISSUE ? *

New research: There's no need to panic over factorable keys  --  just mind
your Ps and Qs

*
https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
*

* Nadia Heninger* Zakir Durumeric, Eric Wustrow, Alex Halderman,

February 15th, 2012 at 2:16 am

You may have seen the preprint posted today by Lenstra et al. about entropy
problems in public keys. [ *We* ] have been waiting to talk about some
similar results. We will be publishing a full paper after the relevant
manufacturers have been notified. ... this problem mainly affects various
kinds of embedded devices such as routers and VPN devices, not full-blown
web servers. (It's certainly not, as suggested in the New York Times, any
reason to have diminished confidence in the security of web-based
commerce.) Unfortunately, we've found vulnerable devices from nearly every
major manufacturer and we suspect that more than 200,000 devices,
representing 4.1% of the SSL keys in our dataset, were generated with poor
entropy. Any weak keys found to be generated by a device suggests that the
entire class of devices may be vulnerable upon further analysis.... Many,
but not all, of the vulnerable keys were generated by OpenSSL and OpenSSH,
which calls OpenSSL's RSA key generation code.?