杏吧原创

Some unbreakable encryption keys are accidentally leaking online

A widely used form of encryption called RSA is thought to be unbreakable, but an analysis of more than 5 billion server records has found that, in some cases, hardware errors can lead to secret keys being exposed
Faulty encryption can put data at risk
Yuichiro Chino/Getty Images

Hardware faults are leaking hundreds of supposedly unbreakable encryption keys on to the internet, researchers have found 鈥 and spy agencies may be exploiting the loophole to read secret messages.

RSA is a widely-used encryption scheme that depends on two numbers 鈥 a public key, which anyone can use to encrypt a message intended for a particular person, and a private key, which decrypts the messages and only that person has access to. Individuals can also use their private key to 鈥渟ign鈥 a message, allowing anyone to use their public key to verify the signature is genuine.

Normally, cracking someone鈥檚 private key would require an infeasible level of computation. But when Keegan Ryan at the University of California, San Diego, and his colleagues analysed around 5.2 billion server records gathered over the course of seven years, they found nearly 600,000 examples of incorrectly formed signatures with errors that could expose private RSA keys.

By exploiting these errors, the team was able to retrieve private keys from 4962 records. Because some of these records were duplicated, in total it identified 189 unique private keys.

鈥淚n our dataset, we found that about one in a million signatures leaked the private key,鈥 says Ryan. 鈥淚n an ideal world, that would be zero. This wouldn鈥檛 be possible. So the fact that it鈥檚 anything more than that is somewhat surprising.鈥

The researchers found devices made by four manufacturers could create signatures incorrectly, leaving them susceptible to this kind of attack. Two of the manufacturers contacted by the team 鈥 Cisco and Zyxel 鈥 said they had either fixed the error where possible or had stopped selling the devices it affected. The other two manufacturers didn鈥檛 respond. All four were separately contacted by New 杏吧原创 for this story, but haven鈥檛 responded.

鈥淥ur research showed that the total number of affected hosts has gone down over time, which is a good sign,鈥 says Ryan. 鈥淎s these devices update over time, there will be fewer vulnerable devices on the internet.鈥

The faults in these devices allow an attacker to quietly monitor legitimate connections until a faulty signature exposes a private key. This breach could enable them to undetectably impersonate the compromised host, intercepting sensitive data. 鈥淚f the private key is exposed, then you don鈥檛 know if you鈥檙e talking to the correct server, or if you鈥檙e talking to an attacker,鈥 says Ryan.

鈥淭his is an important result, reminding us that software and hardware flaws may weaken the security of paradigms regarded as bulletproof,鈥 says independent cybersecurity researcher . 鈥淎ll that is needed is a small flaw, and suddenly things deemed unbreakable are in fact prone to easy and simple cryptanalysis. In this particular case, encryption and digital signatures were undermined.鈥

鈥淭his research demonstrates that hardware errors can contribute to implementation vulnerabilities as much as mistakes in coding,鈥 says at the University of Surrey, UK. 鈥淐heaper, error-prone hardware is widespread, so this will be of interest to anyone wishing to bypass RSA, and it鈥檚 difficult not to conclude that this will be governments wanting to eavesdrop.鈥

However, Olejnik is less certain that spy agencies will be able to leap in to exploit the issue. 鈥淚t is an isolated issue of devices not used on massive scales,鈥 he says. 鈥淚t is unlikely usable for espionage, though it all depends where such devices are placed.鈥 Fixing things should be relatively easy, says Olejnik 鈥 you just need to replace or patch the affected devices. 鈥淧atching is one of the most proactive security defences that an organisation can take,鈥 says Ryan.

Reference:

Cryptology ePrint Archive