New Research Uncovers Widespread 'Sparse' RSA Keys, Raising Backdoor Concerns
Recent research has exposed a new class of weak RSA keys characterized by numerous zero values, which are surprisingly prevalent across various public sources. This discovery highlights potential vulnerabilities in cryptographic implementations and has sparked speculation about the possibility of deliberate backdoors.
New research from **Trail of Bits** has shed light on a concerning class of weak RSA keys, distinguished by a high number of zero values within their moduli. These 'sparse' keys have been found in the wild, raising questions about the robustness of cryptographic implementations and even prompting speculation about potential backdoors.
The **badkeys project**, an open-source service designed to audit public keys for known vulnerabilities, played a crucial role in this discovery. While developing this tool, **Hanno BΓΆck** amassed a vast dataset of real-world keys from diverse public sources, including **Certificate Transparency (CT)** logs, internet-wide **TLS** and **SSH** scans, and **PGP** keys.
By meticulously analyzing this extensive dataset for unusually sparse RSA moduli, researchers uncovered a significant number of keys exhibiting two distinct patterns of weakness.
### Pattern 1: Interleaved Zero Blocks
Pattern 1 keys feature several regularly spaced blocks of all zeros, interspersed with seemingly random data. These keys were identified in CT logs for certificates issued to several major organizations, including **Yahoo** and **Verizon**, as well as on devices running **NetApp** software. While the affected certificates have since expired, the findings were shared with these companies. However, the origin of these keys remains unclear.
### Pattern 2: CompleteFTP Vulnerability
Pattern 2 keys were found on SSH hosts utilizing **CompleteFTP** software from **EnterpriseDT**. The underlying vulnerability impacts RSA keys generated using versions 10.0.0 through 12.0.0 (December 2016 to March 2019) and **DSA** keys generated with versions 10.0.0 through 23.0.4 (December 2016 to December 2023).
While these vulnerabilities affect a relatively small fraction of internet hosts, the more significant takeaway is the independent failure of multiple cryptographic implementations in similar ways. This suggests that other implementations may harbor similar bugs, underscoring the need for cryptanalytic algorithms tailored to this specific type of weakness.
### Backdoor Speculation
The discovery has led to speculation regarding the possibility of deliberate backdoors. **Bruce Schneier**, a renowned security expert, has suggested that such patterns could be intentionally designed weaknesses, similar to concepts he discussed in 2013. He posits that a government agency could discover methods to exploit this class of RSA keys and then influence different providers to distribute them to users, creating a covert surveillance capability.