New research from Keyfactor reveals that approximately 1 in 172 online certificates contain significant vulnerabilities due to poorly generated RSA keys, potentially impacting millions of encryption keys. This primarily affects Internet of Things (IoT) devices but poses a threat across various systems employing flawed RSA or ECC keys. Keyfactor's analysis indicates that with limited resources, attackers can compromise a notable percentage of these certificates rapidly, allowing potential impersonation risks for SSL/TLS server certificates, thereby threatening the integrity of encrypted communications.
With modest resources, we were able to obtain hundreds of millions of RSA keys used to protect real-world traffic on the internet.
Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates using these keys can be compromised in a matter of days.
This is concerning, as a party with a re-derived private key for an SSL/TLS server certificate can impersonate that entity.
The root of the problem is poor random number generation, with keys sharing prime factors with other keys.
Collection
[
|
...
]