[Cryptography] 1023 nails in the coffin of 1024 RSA...

Tony Arcieri bascule at gmail.com
Sat Oct 4 16:14:24 EDT 2014

Using 1024-bit keys is silly, but PoC||GTFO

On Sat, Oct 4, 2014 at 12:08 PM, ianG <iang at iang.org> wrote:

> (some skepticism about whether this there is really a break in OpenSSL,
> but the rumour mill will no doubt throw mud on the 1024 bit part as
> well...)
> OpenSSL bug allows RSA 1024 key factorization in 20 minutes
> https://www.reddit.com/r/crypto/comments/2i9qke/openssl_bug_allows_rsa_1024_key_factorization_in/
> Supposedly.
> So just a few minutes ago has finished a talk at Navaja Negra 2014, the
> third? most important security congress in Spain, where the speaker (a
> member of the organization) claimed to have found a bug in OpenSSL RSA
> key generation, which he is able to exploit to factorize N into p and q
> in around 20 minutes (on a laptop). He did a live demo. I wasn't there,
> but some friends were.
> He claimed:
>     The bug originates in this lines of rsa_gen.c:
>     117 bitsp=(bits+1)/2;
>     118 bitsq=bits-bitsp;
>     the main problem being that the rounding of 1025 isn't downwards but
> upwards, resulting in bitsp= 513 and bitsq=511, which, supposedly, later
> on the code and due to compiler optimizations, causes the bug.
>     It affects all versions of OpenSSL.
>     He is neither going to report it to the developers, nor publish
> anything.
> I personally think he's full of shit, but the fact that he's a member of
> the organization and thus not only his personal prestige but also the
> organization's is at stake, makes you wonder. Anyhow, we'll see.
> I posted it yesterday to netsec but the mods removed it. Let's discuss
> it here!
> Edit 1: so my friends talked to him today, and he's serious about it. He
> says he's broken 1024 keys on Amazon clusters in 18 seconds.
> Edit 2: he claims some guy from Argentina found the same thing 6 years
> ago, and has been trying to show it on cons since then, but no con
> accepted his talk because they wouldn't believe him.
> Edit 3: he also says the attack consists in trying "probable primes",
> whose probability is generated by said bug. Might it be some variation
> on Fermat's attack?
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141004/d790a6ac/attachment.html>

More information about the cryptography mailing list