'[ISN] Breaking 512-bit RSA with Amazon EC2 is a cinch. So why all the weak keys?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Breaking 512-bit RSA with Amazon EC2 is a cinch. So why all the weak keys?
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2015-10-22 9:14:30
Message-ID: alpine.DEB.2.02.1510220914200.31515 () infosecnews ! org
[Download RAW message or body]

http://arstechnica.com/security/2015/10/breaking-512-bit-rsa-with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/


By Dan Goodin
Ars Technica
Oct 20, 2015

The cost and time required to break 512-bit RSA encryption keys has 
plummeted to an all-time low of just $75 and four hours using a recently 
published recipe that even computing novices can follow. But despite the 
ease and low cost, reliance on the weak keys to secure e-mails, 
secure-shell transactions, and other sensitive communications remains 
alarmingly high.

The technique, which uses Amazon's EC2 cloud computing service, is 
described in a paper published last week titled Factoring as a Service. 
It's the latest in a 16-year progression of attacks that have grown ever 
faster and cheaper. When 512-bit RSA keys were first factored in 1999, it 
took a supercomputer and hundreds of other computers seven months to carry 
out. Thanks to the edicts of Moore's Law—which holds that computing power 
doubles every 18 months or so—the factorization attack required just seven 
hours and $100 in March, when "FREAK," a then newly disclosed attack on 
HTTPS-protected websites with 512-bit keys, came to light.

In the seven months since FREAK's debut, websites have largely jettisoned 
the 1990s era cipher suite that made them susceptible to the factorization 
attack. And that was a good thing since the factorization attack made it 
easy to obtain the secret key needed to cryptographically impersonate the 
webserver or to decipher encrypted traffic passing between the server and 
end users. But e-mail servers, by contrast, remain woefully less 
protected. According to the authors of last week's paper, the RSA_EXPORT 
cipher suite is used by an estimated 30.8 percent of e-mail services using 
the SMTP protocol, 13 percent of POP3S servers. and 12.6 percent of 
IMAP-based e-mail services.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic