Purdue University professor Eugene Spafford says a recently published paper that called into question the security of RSA public-private keys has lessons for security researchers.
The paper found that the algorithms used to generate random numbers for use in encryption keys could make a secret number public. However, Spafford says that some smaller organizations apparently created their own Secure-Socket-Layer public-private-key set using software to generate random numbers. The smaller organizations may have used a small set of seed values that would generate the same set of large prime numbers.
"It's important that we regularly verify our assumptions, verify that the systems we're using really work the way that they're supposed to work," Spafford says.
The researchers found that by collecting a very large number of existing pubic keys and doing some analysis, they were able to find common factors that were used generating those keys. One of the problems with encryption is the whole aspect of key generation and management, and that has been the case for a very long time, Spafford notes.
"We're able to develop and use algorithms that are effectively unbreakable given current technology, but unless we're able to generate truly random keys and keep them appropriately safe from prying eyes, then it doesn't matter how strong the algorithms really are," he warns.
View Full Article
Abstracts Copyright © 2012 Information Inc. , Bethesda, Maryland, USA