Generating keys with a pseudorandom number generator, no matter how good, is absolutely 100% unacceptable. Cryptographic keys must be generated using true randomness, and a lot of entropy worth of it, say 2000 bits worth. (Which could then be piped thru a pseudorandom generator if desired, but the true randomness must be present at bottom.) Obviously, some idiot decided to generate keys using the "time of day" or something asinine like that as the source of "true random bits." Then they installed this code inside netscape or some other piece of common software. Paper found of around 2 million keys examined, about 0.2% of them involves identical prime factor to some other key. In other words, the aggregate key generators out there, feature a "random prime generator" that 0.2% of the time, stays within a fixed subset containing about 10000 primes only. This data also is compatible with the (presumably untrue) theory that there is only one random prime generator out there and it generates in total no matter how many times you invoke it, only 10^8 or 10^9 different primes, indicating it only employs about 27-30 bits of true randomness. A completely trivial collision test on whatever generator it was, would have revealed this but obviously was never run (if accidental) -- or this was an intentional move designed to allow the NSA or somebody to break security. Is the US Govt safe and only amateurs unsafe? Ridiculous baseless assertion. First, I assure you that this generator was written by professionals and installed in a professional piece of common software. Second, the US govt is now known to have controlled their military drone flights using entirely unencrypted signals for years (and for all I know still do so). The lesson here is: always assume the users/implementors of cryptography are beyond stupid, and will intentionally do the worst possible thing repeatedly thousands or millions of times. For example, suppose we consider the "one time pad" a well known "unbreakable" cryptosystem. It is now clear we can safely assume users will re-use the same old random bits as the "key" and hence we conclude as a corollary that the one time pad is an unacceptable cryptosystem.