Putting to Rest RSA Key Security Worries

[InfoSec News <alerts () infosecnews org>]

http://www.bankinfosecurity.com/interviews.php?interviewID=1395

By Eric Chabrow
Bank Info Security
February 20, 2012

IT security practitioners who employ the RSA public-private key 
cryptography needn't lose sleep about its efficacy, despite new research 
that raises questions on how it creates large prime numbers to generate 
secret keys. IT security authority Gene Spafford says.

Information Security Media Group asked the Purdue University computer 
science professor to look at a research paper entitled Ron was Wrong, 
Whit was Right, which concludes the way the RSA algorithm generates 
random numbers to be used in encryption keys could, in rare instances, 
make a secret number public. And, that could create a potential 
vulnerability that hackers might exploit, the researchers say [see When 
99.8% Security May Not Be Sufficient]. We also asked Spafford to 
critique a response to the paper from RSA Chief Technologist Sam Curry, 
who maintains the problem isn't with the algorithm but how organizations 
employ RSA public-key cryptography [see How Encrypted Keys Can Leave Bad 
Taste].

Spafford, in an interview with ISMG, says the exposed keys aren't the 
type that would be used by businesses such as financial institutions 
that conduct sensitive transactions on the Internet.

What apparently happened is that some smaller organizations created 
their own Secure-Socket-Layer public-private-key set using software to 
generate random numbers, Spafford says. The smaller organizations may 
have used a small set of seed values that would generate the same set of 
large prime numbers, he says.

[...]


______________________________________________________________________________
Learn how to be a Pen Tester or a CISSP with Expanding Security online. Get
a free class invitation and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill