[cryptography] Non-governmental exploitation of crypto flaws?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Nov 28 00:06:45 EST 2011

Solar Designer <solar at openwall.com> writes:

>Here are some examples of 512-bit RSA keys factored:

Right, but that doesn't say anything about what happened here.  In every other 
case we know of in which malware has been signed by CA-issued certs, the keys 
were either stolen or, more rarely, bought using stolen credentials.  Given 
that you can get certs and keys for free from your botnet (a single months' 
data from the Kneber botnet alone, a single instance of a Zeus-based botnet, 
had over two thousand private keys and certs), you can't use the Politician's 
Fallacy to claim that the keys used in this case were obtained by factoring.  
They may have been, but they could just as easily have been stolen, and in 
every other instance where this has occurred in the past they've been stolen 
or fraudulently obtained.  Until there's a web interface that the bad guys can 
click on that, when fed a cert, gives them the private key a few seconds 
later, you're not going to beat the convenience of a straightforward 
kleptographic attack.


More information about the cryptography mailing list