March 28, 2024

New research: There's no need to panic over factorable keys–just mind your Ps and Qs

You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we’d like to give a more complete explanation of what’s really going on.

We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly–using predictable “random” numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We’ve developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.

However, there’s no need to panic as this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It’s certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.) Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.

We’re not going to announce every device we think is vulnerable until we’ve contacted their manufacturers, but the attack is fairly easy to reproduce from material already known. That’s why we are working on putting up a web site that you can use to determine whether your device is immediately vulnerable.

Read on for more details, and watch for our full paper soon.

Telex and Ethan Zuckerman's "Cute Cat Theory" of Internet Censorship

A few years ago, Ethan Zuckerman gave a talk at CITP on his “cute cat theory” of internet censorship (see also NY Times article), which goes something like this:

Most internet users use the internet and social media tools for harmless activities, like looking at pictures of kittens online. However, an open social media site is open to political content as well as pictures of kittens. Repressive governments might attempt to block this political content by blocking access to, say, all of Blogspot or all of Twitter, but in doing so they also block people from looking at non-political content, like pictures of cute kittens. This both brings more attention to the political causes the government is trying to suppress through the Streisand effect, and can politicize users who previously just wanted unfettered access to cute kittens.

This is great for Web 2.0, and suggests that activists should host their blogs on sites where a lot of kittens would be taken down as collateral damage should they be blocked.

However, what happens when a government is perfectly willing to block all social media? What if a user wants to do more than produce political content on the web?

Telex (blog post) can be seen as a technological method of implementing the cute cat theory for the entire internet: the system allows a user to circumvent internet censorship by executing a secret knock on potentially any web site outside of the censor’s network. When any web site, no matter how innocuous or critical to business or political infrastructure, can be used for a political goal in this fashion, the censorship/anti-censorship cat-and-mouse game is elevated beyond single proxies and lists of blockable Tor nodes, and beyond kittens, to the entire internet.