The security of RSA certificates has come under scrutiny after researchers revealed that they were able to break nearly a quarter of a million currently active keys.
Security vendor Keyfactor announced its findings in a paper published at the First IEEE Conference on Trust, Privacy and Security in Intelligent Systems and Applications.
The team first built a database of 75 million active RSA keys, augmented with another 100 million certs available through certificate transparency logs.
RSA keys consist of the product of two large, randomly chosen prime numbers and are typically used to encrypt data in transit. However, if a key shares its prime factors with others, then it is compromised.
Unfortunately, the researchers found over 435,000 certificates with a shared factor, enabling them to “rederive” the private key.
“In a real-world attack scenario, a threat actor with a re-derived private key for an SSL/TLS server certificate could impersonate that server when devices attempt to connect,” said JD Kilgallin, senior integration engineer and researcher at Keyfactor.
“The connecting user or device cannot distinguish the attacker from the legitimate certificate holder, opening the door to critical device malfunction or exposure of sensitive data.”
This could have a particularly major impact on the IoT sphere due to the low entropy or lack of randomness in key generation there, the firm said.
“These devices could include cars, medical implants and other critical devices, that if compromised, could result in life-impacting harm,” argued Keyfactor CTO, Ted Shorter.
Michael Barragry, operations lead and security consultant at Edgescan, explained that the issue discovered by the research team was a fault in implementation rather than a weakness with the underlying mathematics.
“Public key certificates are one of the key pieces of infrastructure that enable various devices and servers to securely identify and trust each other. If a malicious actor can successfully spoof a certificate for a particular device, they can essentially masquerade as that device. Depending on the trust chain that it lies within, multiple further attacks may be possible,” he added.
“Vendors need to be conscious of the potential upstream impact of all design decisions, as in this case it seems like an innocuous shortcut around random number generation has given rise to a much more serious flaw.”