Putting to Rest RSA Key Security Worries

Impact on Online Transaction Seen as Minimal

By , February 20, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Putting to Rest RSA Key Security Worries
Read Transcript

IT security practitioners who employ the RSA public-private key cryptography needn't lose sleep about its efficacy, despite new research that raises questions on how it creates large prime numbers to generate secret keys, IT security authority Gene Spafford says.

Information Security Media Group asked the Purdue University computer science professor to look at a research paper entitled Ron was Wrong, Whit was Right, which concludes the way the RSA algorithm generates random numbers to be used in encryption keys could, in rare instances, make a secret number public. And, that could create a potential vulnerability that hackers might exploit, the researchers say [see When 99.8% Security May Not Be Sufficient]. We also asked Spafford to critique a response to the paper from RSA Chief Technologist Sam Curry, who maintains the problem isn't with the algorithm but how organizations employ RSA public-key cryptography [see How Encrypted Keys Can Leave Bad Taste].

Spafford, in an interview with ISMG, says the exposed keys aren't the type that would be used by businesses such as financial institutions that conduct sensitive transactions on the Internet.

What apparently happened is that some smaller organizations created their own Secure-Socket-Layer public-private-key set using software to generate random numbers, Spafford says. The smaller organizations may have used a small set of seed values that would generate the same set of large prime numbers, he says.

"These keys, being somewhat of a problem of course, are not likely used in major commercial transactions." he says. "Those keys tend to be generated using a much better random number generation system, possibly hardware generation, and didn't appear to be among the sets of keys that were found to be vulnerable."

In the interview, Spafford:

  • Summarizes the problem raised in the research paper.
  • Evaluates the response by RSA Chief Technologist Sam Curry to the paper.
  • Explains why such research into possible flaws of encryption and cryptographic solutions, even when disputed, is valuable.

Spafford also serves as executive director of the Purdue Center for Education and Research in Information Assurance and Security. Widely considered a leading expert in information security, Spafford has served on the Purdue computer science faculty since 1987. His research focuses on information security, computer crime investigation and information ethics.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Industry News: Symantec Works with Narus

Leading this week's industry news roundup, Symantec has entered an agreement with Narus to provide...

Latest Tweets and Mentions

ARTICLE Industry News: Symantec Works with Narus

Leading this week's industry news roundup, Symantec has entered an agreement with Narus to provide...

The ISMG Network