[math-fun] RSA keys, randomness, and idiots
Generating keys with a pseudorandom number generator, no matter how good, is absolutely 100% unacceptable. Cryptographic keys must be generated using true randomness, and a lot of entropy worth of it, say 2000 bits worth. (Which could then be piped thru a pseudorandom generator if desired, but the true randomness must be present at bottom.) Obviously, some idiot decided to generate keys using the "time of day" or something asinine like that as the source of "true random bits." Then they installed this code inside netscape or some other piece of common software. Paper found of around 2 million keys examined, about 0.2% of them involves identical prime factor to some other key. In other words, the aggregate key generators out there, feature a "random prime generator" that 0.2% of the time, stays within a fixed subset containing about 10000 primes only. This data also is compatible with the (presumably untrue) theory that there is only one random prime generator out there and it generates in total no matter how many times you invoke it, only 10^8 or 10^9 different primes, indicating it only employs about 27-30 bits of true randomness. A completely trivial collision test on whatever generator it was, would have revealed this but obviously was never run (if accidental) -- or this was an intentional move designed to allow the NSA or somebody to break security. Is the US Govt safe and only amateurs unsafe? Ridiculous baseless assertion. First, I assure you that this generator was written by professionals and installed in a professional piece of common software. Second, the US govt is now known to have controlled their military drone flights using entirely unencrypted signals for years (and for all I know still do so). The lesson here is: always assume the users/implementors of cryptography are beyond stupid, and will intentionally do the worst possible thing repeatedly thousands or millions of times. For example, suppose we consider the "one time pad" a well known "unbreakable" cryptosystem. It is now clear we can safely assume users will re-use the same old random bits as the "key" and hence we conclude as a corollary that the one time pad is an unacceptable cryptosystem.
On Wed, Feb 15, 2012 at 10:32 AM, Warren Smith <warren.wds@gmail.com> wrote:
Generating keys with a pseudorandom number generator, no matter how good, is absolutely 100% unacceptable. [...] The lesson here is: always assume the users/implementors of cryptography are beyond stupid, and will intentionally do the worst possible thing repeatedly thousands or millions of times.
Actually, the paper does a nice job pointing out the not-immediately-obvious benefit of a one-secret cryptographic system (e.g. Diffie-Hellman) over a two-secret system (e.g. RSA). Standard creation of RSA keys requires *two* secret primes, and if you share even one of those with another RSA public key, you end up insecure, and anyone can break your encryption. By contrast, something like Diffie-Hellman is based on a single secret, and if someone else happens to randomly generate the same secret as you, then you two would end up with the same public key -- but then only that other person would be able to break your encryption, not anyone in the world that noticed the duplication. So one lesson here is that RSA is particularly vulnerable to this kind of bad-implementation failure mode. I was really interested to see that there's a known RSA key-generation variant that makes it a single-secret process, as mentioned on p.4 of the paper: choose p such that q = [(2^(2k-1) + p - (2^(2k-1) mod p))/p] is also prime. These are believed to be just as secure as independent p,q keys, but avoid the share-one-of-two-secrets failure mode. This seems very clever to me. It's easy to run around screaming "Cryptography is hopeless because implementers are idiots!", and substantially more useful to say "Here's a standard that is more robust to the existence of bad implementations." --Michael -- Forewarned is worth an octopus in the bush.
participants (2)
-
Michael Kleber -
Warren Smith