[cryptography] Non-governmental exploitation of crypto flaws?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Nov 27 22:57:03 EST 2011


Marsh Ray <marsh at extendedsubset.com> writes:

>* Here's an example of RSA-512 certificates being factored and used to sign
>malware:
>http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/

That's an example of *claims* of 512-bit keys being factored, with the
thinking being "everyone knows 512-bit keys are weak, the certs used 512-bit
keys, therefore they must have got them by factoring".  Unfortunately this
doesn't explain how they go the 1024-bit and longer keys that were also used
in the attack.

That's not to say they weren't obtained in this manner, but with nothing more
than the Politician's Fallacy as supporting evidence there's nothing to
indicate they didn't just steal them like everyone else does.

Peter.




More information about the cryptography mailing list