[cryptography] Duplicate primes in lots of RSA moduli

Ondrej Mikle ondrej.mikle at nic.cz
Thu Feb 23 15:27:55 EST 2012


On 02/22/2012 10:55 PM, Marsh Ray wrote:
> 
> I'm putting myself in the position of an engineer who's designing the
> logic and writing some low-level firmware for the next consumer grade
> $50 blue box home router/wifi/firewall appliance:
> 
> ======= [cue dream sequence wavy blur effect]
> 
> I'm an EE many years experience going back almost, but not quite, as far
> as the days of fully discrete logic designs. I've been part of the
> current design team for 5 years now. I have a gray beard and drink 4
> mugs of strong coffee a day. I like to read science fiction and handmake
> acoustic guitars in my free time.

That is a great writeup. Can I get your permission for translating and
publishing it locally (with attribution to author, of course)?

Continuing with the duplicate moduli case, what is worse than key sharing or
sharing primes? Sharing keys _and_ sharing primes.

I took some first 80 results from crunching the moduli and mapped them back to
certificates. In EFF's SSL Observatory there were 3912 unique certs sharing
those factorized moduli (all embedded devices), couple extra in other DBs.

That likely means 3912 separate devices sharing keys and primes. My
interpretation is that in many cases, the second prime was generated identically
to other devices as well (if the cert/private key was part of firmware, the
certs would have been identical). Not that it'd be much surprising.

As a side note, none of the moduli belonged to a DNSSEC key.

Ondrej



More information about the cryptography mailing list