[Cryptography] "NSA could put undetectable “trapdoors” in millions of crypto keys"

Ray Dillinger bear at sonic.net
Tue Oct 11 15:24:39 EDT 2016



On 10/11/2016 08:56 AM, Jerry Leichter wrote:

> Basically the researchers describe a way to generate primes for which number sieve is much easier if you know the secret - and there's no way to detect this by looking at the prime.  In the case of 1024 bit D-H primes, the result would be to move cracking into a fairly easy range.  And in the case of most of the widely-used 1024-bit D-H primes, nothing is known about how they were generated.

So there is now a potentially very large undetectable class of
weak keys.

I suppose the prudent thing to do would be to behave as if there
has been a breakthrough in factoring such that primes now require
about twice as many bits length to achieve the same level of
security against factoring.  For primes whose origins we don't
know anyway - but that pretty much includes all 'ephemeral' DH
primes, as well as the primes used to construct RSA keys created
by others.

Am I right in thinking that this affects pretty much all pubkey
crypto operations performed on a modular field -- RSA, DH, ECC,
etc?

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161011/21c2c5ad/attachment.sig>


More information about the cryptography mailing list