Posted on Feb 13, 2020
In late 2019, a research report was published that pointed out the existence of numerous weak RSA certificates in active use on the Internet. While the RSA algorithm is secure, many organisations were using it improperly, which would allow an attacker to generate fake, verifiable RSA certificates.
For users trusting these weak certificates, this vulnerability has significant impacts. A fake RSA certificate used in HTTPS has significant implications for website security since it could allow an attacker to impersonate a trusted site. For Internet of Things (IoT) devices trusting self-signed, vulnerable certificates, this vulnerability could open them up to compromise, potentially enabling an attacker to add them to a botnet performing Distributed Denial of Service (DDoS) attacks or to steal sensitive data collected and processed by these devices.
How RSA Certificates Work
RSA certificates are one example of public key cryptography. Public key or “asymmetric” cryptography uses two different encryption keys: a private key and a public key. The private key is used for decrypting messages or generating digital signatures, and the public key can encrypt data or verify digital signatures.
These two keys are related. The public key is calculated from the private key using a “one-way” function. These one-way functions are based off of a mathematically “hard” problem, meaning that a certain function is relatively easy (of polynomial difficulty) to perform, but its inverse is much harder (exponential difficulty).
In the case of RSA, this “hard” problem is the factoring problem. The factoring problem is based off of the assumption that it is fairly “easy” to multiply two large prime numbers together but relatively “hard” to determine these two factors with knowledge of their product. With modern systems, this assumption is valid and the system is secure as long as an attacker does not know either of these two factors.
The RSA Certificate Vulnerability
Recent research by KeyFactor demonstrates that this assumption (that an attacker doesn’t know the secret factors used in an RSA calculation) may not always be valid. A study of 75 million RSA public keys in active use revealed that 1 in every 172 of these keys shared a common factor.
These shared factors are a problem for the security of these RSA secret keys since they would allow an attacker to determine both prime factors used in the calculation. With this data, they could derive the private key associated with a given public key. Of the 75 million keys studied, the researchers were able to derive private keys for 435,000 of them.
The cause of these weak RSA keys is attributed to the growth of IoT devices. These IoT devices commonly have significant power restrictions and limited entropy. Since entropy is crucial to the generation of strong random numbers, these devices are often generating the same random numbers when trying to identify prime numbers for use in RSA certificates. As a result, these certificates are much more likely to share prime factors, making them vulnerable to attack.
Implications of the Vulnerability
RSA certificates are used for a variety of different purposes. The nature of asymmetric cryptography means that these certificates can be used to establish a secure communications channel with another party (by sending them a message encrypted with their public key) or to verify the identity of a message’s sender (by checking if a digital signature sent with the message is valid).
However, these uses of asymmetric cryptography assume that only the owner of a public key has knowledge of the corresponding private key and the prime values used in the calculation of the public key. With the newly-revealed weaknesses of RSA certificates currently in use, this assumption is not valid for 1 of every 172 certificates.
The implications of this are significant for web security since encrypted HTTPS webpages use digital signatures to prove their identity to a visitor. If an attacker can derive the private key for the digital certificate associated with a particular webpage, they can create valid HTTPS connections with visitors to that webpage. This could allow the attacker to collect sensitive data entered by the user into the site or serve pages with embedded malicious code for the unsuspecting user to run.
In the case of this study, the vast majority of vulnerable certificates were self-signed keys used by IoT device manufacturers. Certificates generated by reputable certificate authorities (CAs) were generally secure. However, the use of insecure certificates by IoT manufacturers is concerning. Compromised IoT devices are already commonly used in DDoS attacks, and this weakness may allow cybercriminals impersonating legitimate IoT servers to trick additional IoT devices into joining their botnets. This would hurt both the owners of these devices and the targets of the resulting DDoS attacks.
The Importance of Strong Cryptography
In the study by KeyFactor, the source of the weaknesses in RSA certificates was poor use of the RSA algorithm. While the algorithm itself is currently considered secure if properly used, it depends upon the prime factors used in its calculations to be random and unknown to an attacker. Generating these large, prime, random factors requires a strong source of entropy, and IoT device manufacturers simply weren’t using enough entropy in their calculations.
As a result, the private keys of hundreds of thousands of RSA certificates currently in use can be derived by an attacker, allowing the attacker to impersonate the owner to anyone trusting that certificate. These vulnerabilities could open up IoT devices to being exploited and added to DDoS botnets.
Follow EU Today on Social media: