An astonishing four out of every 1,000 public keys protecting webmail, online banking, and other sensitive online services provide no cryptographic security, a team of mathematicians has found. The research is the latest to reveal limitations in the tech used by more than a million Internet sites to prevent eavesdropping.
The finding, reported in a paper (PDF) to be presented at a cryptography conference in August, is based on the analysis of some 7.1 million 1024-bit RSA keys published online. By subjecting what’s known as the “modulus” of each public key to an algorithm first postulated more than 2,000 years ago by the Greek mathematician Euclid, the researchers looked for underlying factors that were used more than once. Almost 27,000 of the keys they examined were cryptographically worthless because one of the factors used to generate them was used by at least one other key.
“The fact is, if these numbers had the entropy that they were supposed to have, the probability of even one of these events happening in 7 million public keys would be vanishingly small,” James P. Hughes, an independent cryptographer who participated in the research, told Ars. “We thought that was rather startling.”