North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: 1024-bit RSA keys in danger of compromise (fwd)

  • From: Len Sassaman
  • Date: Mon Mar 25 20:16:01 2002

On Mon, 25 Mar 2002, Deepak Jain wrote:

> Since you are mentioning Verisign here, and CA authorities in general, has
> anyone considered that factoring the CA authority's key is far simpler than
> breaking the underlying key [no matter how large?]. Based on the

Well, that's not really the case. Breaking a 384 bit key is trivial.
Breaking a 1024 bit key is probably not possible without a multi-billion
dollar budget. 2048 bit keys are still in no danger of being broken any
time soon unless further advances are made in factoring.

But I see the point you are making, which is that targeting the CA lets
you attack all of the browsers that trust keys signed by that CA, rather
than specifically targeting that one site. However, MITM attacks are
active attacks, and run the risk of being detected by the the victim. If
you break the key a site is using for encryption, you can read the traffic
without fear of detection.

Other comments on this issue, which I covered in my DEFCON 9 presentation:
it would probably be a lot easier to compromise a CA's root key by means
of network or physical attack, rather than through cryptanalysis. It also
doesn't have to be Verisign you target -- there are over a hundred trusted
root certification authorities in IE, some of them issued to companies
that have gone bankrupt, or sold their root as part of their assets.

Remember, if you're attempting a MITM attack in TLS, you're really
exploiting poor design of the trust-management features of the client,
which is a whole can-o-worms in and of itself.