Alleged RSA crypto flaw hotly debated

Alleged RSA crypto flaw hotly debated


Is the RSA cryptosystem flawed or is the recent sharp criticism of it the result of poor — or even malicious — implementation of key-generation techniques that appear to have rendered some RSA-based encryption keys crackable?

Background: Crypto experts analyze millions of X.509 certificates, call RSA crypto flawed

Other news: 25 alleged Anonymous members busted by Interpol

A panel at the RSA Conference yesterday took up that topic, with legendary cryptographers Whitfield Diffie and Ron Rivest on hand to render judgment on an explosive research paper entitled "Ron was wrong, Whit is right," that blasts the RSA cryptosystem co-invented by Rivest and saying crypto techniques pioneered by Diffie are better.

That paper, co-authored by a research team led by prominent cryptographers James Hughes and Arjen Lenstra, examined several million X.509 certificates available on the Internet, and determined "1,024-bit RSA provides 99.8% security at best" and cryptosystems based on the Diffie-Hellman techniques are "less risky."

RSA's Chief scientist Ari Juels recently responded to the assault on the RSA algorithm by blaming the problems associated with RSA-based keys discovered by the researchers on implementation problems caused by poor key generation.

See what's hot at RSA 2012

The two crypto experts, Rivest and Diffie, sat side by side with Juels on a crypto smackdown panel at the RSA Conference before a huge crowd of show attendees.

"Whit, do you feel vindicated?" Juels asked.

Diffie answered if he felt vindicated at all, it's that Diffie-Hellman is a national standard. He called the findings of the research paper that questioned the security of RSA crypto "charming," and noted Lenstra and Hughes "had found RSA keys with common factors" which "ruins the keys."

But Diffie appeared to agree with Juels in that the main question of breakable RSA keys does seem to center on the real-world use of the random-number generator. "Maybe we'll see there's one bad one," said Diffie. He said if the manufacturing process is done "correctly, this is simply not going to happen to you. We want to out this bad random-number generator."

When asked his views of the paper "Ron was wrong, Whit is right," Rivest got laughs when he suggested the title of the paper be changed. But he turned serious and said about the RSA algorithm, "It's a case of no news is good news" and he said the paper doesn't tear apart the basic mathematical foundation for RSA. Rivest didn't challenge the underlying research Lenstra and Hughes did with their team, saying it was a "fascinating paper with fascinating results." He said you do have to be concerned about implementation of random-number generators because if it's done wrong, it can reveal secret keys.

The panelists raised the possibility that there might even be random-number generators maliciously designed to produce weak and flawed RSA-based keys. Adi Shamir, the co-inventor of the RSA algorithm, was also on the panel at the RSA Conference. His comment was," I thought the paper name should be changed to 'Ron is wrong, Whit is right and the NSA is happy,'" suggesting any weakness found in RSA crypto implementations would make it easier for the National Security Agency to crack encryption keys to get to encrypted data.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments