Thursday, October 31, 2013

IF YOU HAVE A SSL OR TLS KEYS YOU MIGHT WANT TO CHECK THE VALIDITY OF THEM.

In a recent paper using a collection of keys to validate the security of the keys compared the public keys of all of the sites on the internet. and found staggering results.

There is a web lookup table to verify you key here.


If you don't know that much about crypto here is a quick background on some cryptography primitives that you will need to know. For those who don't know much about the cryptography and security I will do a brief overview of some a system called the public, private key system with some links to information to learn more.

Private and public Keys
This picture depicts what goes on the network really well from the senders side. When the recipient needs to send information the recipient becomes the sender and this is repeated but with different keys. The public and private keys are mathematically linked by combing two big cryptography secure primes. They must be primes because we don't want them to be disable by the other prime or the message which would make it recovering the plain-text very complex even with the right key. The private key has both the primes separate in the key but the public key has them multiplied together in a key. This is biased on the theory that it is hard to reverse this multiplication.

Now to the actual Article

A research department scanned every known IPv4 address in the world and grabbed each of the public keys. They then compared the values with all of the other keys. and found some surprising results they found 64,000 keys with the same public key. I mean since there are 4 billion unique IPv4 addresses this only amounts to 0.0016% I mean that's not bad right. But you would be wrong these the strength of these keys are their uniqueness that some one cant just figure out the two primes and if people have the same key than that means that they have both of the primes. This is because both of the primes when multiplied will only have those factors in common. Even though there man be only 4 billion addresses only 12.8 million had public keys. That brings the percent to 0.5% that means that 1 out of every 200 have the same key. 
Here is an excerpt from the article 

"The output was a list of 64,081 compromised keys for TLS hosts, about 0.5 percent of all such keys collected. For obvious reasons, Heninger et al. are not publishing that list; they tried to contact the owners of vulnerable machines, and they offer a web lookup service where you can check to see if your key is on the list."

Yeah that's bad. Crypto is good on paper but there are so may things that can go wrong that its difficult to implement correctly.
Luckily my keys were unique enough.

No comments:

Post a Comment