[cryptography] Non-governmental exploitation of crypto flaws?
pgut001 at cs.auckland.ac.nz
Mon Nov 28 00:06:45 EST 2011
Solar Designer <solar at openwall.com> writes:
>Here are some examples of 512-bit RSA keys factored:
Right, but that doesn't say anything about what happened here. In every other
case we know of in which malware has been signed by CA-issued certs, the keys
were either stolen or, more rarely, bought using stolen credentials. Given
that you can get certs and keys for free from your botnet (a single months'
data from the Kneber botnet alone, a single instance of a Zeus-based botnet,
had over two thousand private keys and certs), you can't use the Politician's
Fallacy to claim that the keys used in this case were obtained by factoring.
They may have been, but they could just as easily have been stolen, and in
every other instance where this has occurred in the past they've been stolen
or fraudulently obtained. Until there's a web interface that the bad guys can
click on that, when fed a cert, gives them the private key a few seconds
later, you're not going to beat the convenience of a straightforward
More information about the cryptography