RSA accepts X.509 weaknesses but says that research revelations raise questions about poor implementation
Security vendor RSA has denied there is a flaw with the algorithm for its X.509 public-key certificates, arguing that any problems stem from poor implementation pf the technology.
The company issued its response to Swiss researchers who claimed a smaller number of RSA public encryption keys offered “no security at all”. The team is based at L’École Polytechnique Fédérale de Lausanne but were led by James Hughes, an independent cryptology expert based in Palo Alto, California, and Arjen Lenstra, a Dutch mathematician who teaches at the polytechnic.
A small number
The researchers analysed 7.1 million RSA encryption keys and found that 0.02 percent of them were improperly generated, suggesting that they could be cracked by relatively simple means and might already be compromised. Although such a smaller number were found to be flawed, the researchers pointed out that this still means 12,000 keys could be a security risk.
These keys are used to encrypt everything from bank transfers to Gmail accounts and work by generating random prime numbers which pass through the encryption algorithm. Prime numbers are particularly hard for even a superfast processor to digest and a hacker would have a difficult time trying to figure them out but the problem relates to the fact the numbers used “aren’t random enough”.
The researchers, who thankfully did not publish their methodology so hackers could use it, said that a smart enough hacker would be able to detect the patterns behind the numbers.
RSA responded by saying that the “exploding” number of Internet-connected devices were to blame and that the researcher’s findings pointed out the importance of proper implementation, rather than it being a problem with the algorithm.
“We welcome this form of research into security technologies in general, as it contributes to better overall security for everyone,” said RSA, a division of EMC, in a statement. “The RSA algorithm has withstood such scrutiny for decades from multiple sources. But good cryptography, including RSA’s, depends on proper implementation.
“True random number generation underpins nearly all cryptographic algorithms and protocols, and must be performed with care to protect against the weakening of well-designed cryptography,” the company added.
In January, 2010, security researchers were able to crack RSA’s 768-bit encryption which is used to protect data in transit, while in March, 2011, it acknowledged that it had been targeted by an “extremely sophisticated” attack that led to information about its SecurID two-factor authentic products being stolen.
It later blamed a “nation state” for the attacks and, in June last year, it offered to replace SecurID identification tokens for certain customers following the suspected use of SecurID data in an attack on US military contractor Lockheed Martin.