[cryptography] Running a keyserver is valuable OR pairwise attacks on public keys

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Sep 9 18:09:49 EDT 2011

Tom Ritter <tom at ritter.vg> writes:

>The public keys were all analyzed and compared efficiently pairwise
>(computing the GCD I believe) to see if by some small chance a factorization
>would occur.  And it did - I recall the website saying it was a very strange
>scenario with one of the keys not actually being correctly semiprime and
>having several small factors.

My code performs fairly rigorous checks on any keys it processes.  At one
point it was rejecting keys generated by a CA for a user, and when I looked
into it found some similar problem (I can't remember the exact details, I just
reported back to the user that the keys their CA was generating for them were
being rejected as insecure.  I think they fixed the problem by disabling the

The amusing thing about this is that the usual CA argument for the backwards
process of having the CA generate the private key for the user is that the CA
wants to make sure it's done correctly.


More information about the cryptography mailing list