Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

RSA brushes off crypto research findings that RSA algorithm is flawed

After having its flagship RSA crypto system called flawed this week by prominent researchers in a paper they made available online, EMC's RSA security division struck back by saying the paper's results don't indicate a fundamental flaw in the RSA algorithm but more likely a problem with implementing it.

"On Feb. 14th, a research paper was submitted for publication stating that an alleged flaw has been found in the RSA encryption algorithm," RSA said Thursday in a statement. "Our analysis confirms to us that the data does not point to a flaw in the algorithm, but instead points to the importance of proper implementation, especially regarding the exploding number of embedded devices that are connected to the Internet today."

Ari Juels, chief scientist for RSA, told Network World that "the study is useful" as it pertains to the "failures of crypto protocols during random-number generation." But he faults its core idea that the RSA algorithm is somehow fundamentally flawed.

"I'd say all cryptography relies on good true random-number generation. And when that goes wrong, the protocol breaks," Juels says. He faults the conclusions of the paper that there was something intrinsically wrong with the RSA algorithm. The paper might have found that the RSA algorithm "might be a little less robust than another one," but "it's obviously not a problem with the RSA algorithm, it's the way the keys were generated."

He said this is not an issue that goes unrecognized today in industry, and Intel is in fact building a fast random-number generator in its upcoming Ivy Bridge chip.

RSA was not apprised of the paper before it appeared online.

In its formal statement, RSA did not dispute specifics in the paper, which was authored by Arjen Lenstra, James Hughes, Maxime Augier, Joppe Bos, Thorsten Kleinjung and Christophe Wachter. The paper sought to look at the security tied to millions of public X.509 certificates that they collected across the web. Based on the data they collected, they concluded "1,024-bit RSA provides 99.8% security at best."

BACKGROUND: Crypto experts analyze millions of X.509 certificates, call RSA crypto flawed

The research group of cryptographers said they collected 6.4 million distinct X.509 certificates and PGP keys containing RSA moduli, and in analyzing their enormous cache, found duplicate RSA-moduli keys about 1% of the time.

"More seriously, we stumbled upon 12,720 different 1,024-bit RSA moduli that offer no security," the researchers said in their paper, which is titled "Ron was wrong, Whit was right" a reference to Ron Rivest, co-inventor of the RSA algorithm, and noted cryptographer Whitfield Diffie. The paper leveled a devastating critique against RSA as fundamentally flawed.

In its retort against the researchers' paper, RSA said, "We welcome this form of research" because it "contributes to better overall security for everyone," but emphasized "the RSA algorithm has withstood such scrutiny for decades from multiple sources."

RSA went on to say good cryptography "depends on proper implementation. True random-number generation underpins nearly all cryptographic algorithms and protocols, and must be performed with care against the weakening of well-designed cryptography. Our analysis points to the need for better care in implementation, generally tied to embedded devices. We see no fundamental flaw in the algorithm itself, and urge all cryptography users to ensure good implementation and best practices are followed."

RSA also received some measure of support from noted security researcher Dan Kaminsky who Thursday posted a blog about the crypto controversy.

Lenstra and Hughes are prominent cryptographers, and Kaminsky says he considered they had done "excellent survey work" which in total included a look at 11.7 million public keys. But he basically rejected the fundamental thesis of their paper.

"[T]here's just no way we get from this survey work, to the thesis that surrounds it," writes Kaminsky in his blog. He argues that "On the basic level, risk in cryptography is utterly dominated, not by cipher selection, but by key management. The study found 12,720 public keys. It also found approximately 2.94 million expired certificates. And while the study didn't discuss the number of certificates that had no reason to be trusted in the first place (being self signed) it did find 5.4 million PGP keys."

Kaminsky goes on to say much more, including, "What the data from the survey says, unambiguously, is that most keys on the Internet today have no provenance that can be trusted, not even through whatever value the CA [certificate authority] system affords. Key Management - as Whit Diffie himself has said - is the hard problem now for cryptography."

Kaminsky also observes, "This is a paper based on survey work, in which empirically validated existence of an implementation flaw (12,720 crackable keys) is being used to justify a design bias (don't use a multi-secret algorithm). The argument is that multi-secret algorithms cause crackable public keys."

Kaminsky indicated he doesn't buy the conclusions made in the crypto researchers' paper. "I don't mean to be too hard on this paper, which again, has some excellent data and analysis inside. I've been strongly advocating for the collection of data in security, as I think we operate more on assumption and rumor than we'd like to admit. The flip side is that we must take care not to fit our data to those assumptions."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CA Technologies, EMC, IDG, Intel, inventor, LAN, PGP, RSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Arjen Lenstra, Dan Kaminsky, EMC, Ron was wrong, RSA flaw, security, Whit is right
Latest Blog Posts
Whitepapers
  • Seven Ways Business Activity Monitoring (BAM) Makes Your Supply Chain More Efficient
    webMethods Optimize for B2B offers a set of technology capabilities commonly described as Business Activity Monitoring (BAM). To appreciate the value of Optimize and how it operates in conjunction with webMethods Trading Networks, it is helpful to understand the basic concepts behind BAM and how the technology is applied in a business setting. Read on.
    Learn more »
  • Control your Print Environment
    In your ongoing quest to maximize productivity and drive down costs, you might be surprised by the savings and greater competitive advantage you can achieve with a fully optimised and well-managed printing and imaging environment. In fact, studies have shown that managing your fleet holistically can save you upwards of 30% on your printing costs. And the savings increase exponentially when the scope of work includes automating your paper intensive workflows. Read more.
    Learn more »
  • Teleworking made simple—and secure—with desktop virtualisation technology
    Businesses of all sizes are increasingly focused on creating flexible work environments and offering telework options for employees. By administering policies and providing the technical capability for employees to work remotely, these companies can improve job satisfaction and worker attraction and retention. This paper explores the implementation of teleworking based on a foundation of desktop and server virtualisation.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.