Keyfactor Researchers Identify RSA Certificate Vulnerability, Successfully Break Nearly 250,000 Distinct RSA Keys

1 in every 172 active RSA certificates are vulnerable to compromise or attack

CLEVELAND, Ohio, December 16, 2019Keyfactor, the leader in securing digital identities, today announced research findings identifying a vulnerability across active RSA certificates.  RSA certificates and the RSA algorithm are commonly used to securely transmit data to a remote source. Using minimal computing resources, researchers were able to collect and analyze 175 million RSA certificates and keys used to protect real-world Internet traffic.

“The findings are alarming,” said Ted Shorter, chief technology officer and co-founder at Keyfactor. “The research finds inordinate rates of compromise impacting IoT devices with design constraints and limited entropy. These devices could include cars, medical implants and other critical devices, that if compromised, could result in life-impacting harm.”

The active and publicly available RSA keys (which consist of the product of two large, randomly chosen primes) were mined to identity common factors. Any keys sharing one of their prime factors with another key are compromised by this technique. The analysis found over 435,000 certificates with a shared factor, with researchers able to rederive the private key.

“In a real-world attack scenario, a threat actor with a re-derived private key for an SSL/TLS server certificate could impersonate that server when devices attempt to connect,” said JD Kilgallin, senior integration engineer and researcher at Keyfactor. “The connecting user or device cannot distinguish the attacker from the legitimate certificate holder, opening the door to critical device malfunction or exposure of sensitive data.”

When these devices include medical implants and cars, the impact of the malfunction can be devastating. The research stresses the importance of security best practices, random number generation for connected systems and use of cryptography to securely install firmware and software updates through the lifecycle of the device.

“Security at design is paramount for device manufacturers,” said Shorter. “Current-generation connected devices and systems must be equipped to defend against a new generation of security risks. Cryptography is essential in ensuring new and emerging devices are able to adhere to and scale with security best practices.”

Researchers built a database of 75 million active RSA keys using Keyfactor’s proprietary SSL/TLS certificate discovery capabilities. The dataset was augmented using 100 million certificates available through certificate transparency logs and analyzed on a single virtual machine in Microsoft Azure, using Keyfactor’s scalable GCD algorithm to find shared factors. The findings were released at the First IEEE Conference on Trust, Privacy and Security in Intelligent Systems and Applications.

 

To download a copy of the research paper, please visit: https://info.keyfactor.com/factoring-rsa-keys-in-the-iot-era.

About Keyfactor
Keyfactor empowers enterprises of all sizes to escape the exposure epidemic – when breaches, outages and failed audits from digital certificates and keys impact brand loyalty and the bottom line. Powered by an award-winning PKI as-a-service platform for certificate lifecycle automation and IoT device security, IT and infosec teams can easily manage digital certificates and keys. And product teams can build IoT devices with crypto-agility and at massive scale. Exceptional products and a white-glove customer experience for its 500+ global customers have earned Keyfactor a 98.5% retention rate and a 99% support satisfaction rate. Learn more at www.keyfactor.com.