The public keys that we examined in this study are used to communicate securely over an encrypted connection with a web site (HTTPS) or to securely connect to a remote server (SSH). Public keys are used to verify the server's identity and to allow a user to encrypt communication with the server.
We found significant numbers of insecure RSA and DSA public keys in use on the Internet: we found that 5% of HTTPS hosts and nearly 10% of SSH hosts shared keys for reasons we considered a vulnerability. More alarmingly, faults in generating keys allowed us to compute the private keys from public information for 0.5% of HTTPS hosts and 1% of SSH hosts. We were able to factor RSA moduli when two or more moduli in our database shared a common factor; we were able to calculate DSA private keys when hosts duplicated ephemeral keys used in signatures. See our research paper for the full details.
The compromise of these keys would allow an active attacker with access to the network connection between client and server to man-in-the-middle the secure connection and intercept or modify the contents of communication. For RSA-encrypted TLS and SSHv1, the compromise of these keys would also allow a passive attacker to decrypt the communication later.
The vast majority of the vulnerable keys belong to various types of network devices: routers, firewalls, VPNs, VoIP gateways, printers, and the like. We have tentatively identified and contacted 54 manufacturers.
We have no reason to believe that keys belonging to secure web sites, such as banks and e-commerce sites, are at risk. We also have no reason to doubt the security of PGP, SSH, or other keys generated interactively by users on general-purpose computers.
If two servers share the same public key, that means that they also share the same private key, and thus have the ability to decrypt messages to or to impersonate the other. In many cases, we observed the same public key being served from thousands of independent hosts; if the private key is ever compromised on any one of them, all of the hosts' keys will have been compromised.
Many kinds of network devices "bake in" a default key which is used on every instance of a particular model. Default keys pose the same security risks as repeated keys; in addition, it may be possible for an attacker to extract the private keys from the device firmware and be able to compromise every model of that device.
The security of RSA (the most widely used public key cryptosystem) is intended to rely on the difficulty of factoring large integers into prime factors. However, if two integers share a single prime factor, it is very easy to compute that prime factor by calculating the greatest common divisor. We calculated the greatest common divisor for every pair of RSA moduli in our database, and found tens of thousands of "factorable" RSA keys which shared common factors with each other, allowing us to compute the private keys.
When using DSA (another widely used public key cryptosystem) to provide a signature, the signer computes a random ephemeral key and uses it to provide the signature. If two signatures from the same DSA key share the same ephemeral key, this is immediately apparent from the signatures, and allows an attacker to easily compute the private DSA key.
We have provided a key check service that allows you to check if your key is among those that we have been able to compromise. We recommend that users regenerate any keys that have been generated as part of an automatic boot process. You may be able to do this in the device configuration, or upload a key generated on a different computer.
No. Our service can identify known weak keys, but it cannot guarantee that a key is safe. Your key or host may not have been accessible during the time of our scans, or your key might not have appeared vulnerable at the time given the keys we found.
You should contact the manufacturer if you are concerned about a particular model of device.
We identified and contacted 54 companies that manufacture devices that appear to be vulnerable. Several of these companies have since shipped updates or customer advisories.
We will maintain an updated list of advisories and updates as we hear about them on the Advisories page.
Our findings give us no reason to doubt the security of the RSA algorithm on systems which use adequate randomness to generate keys. All of the most commonly used public-key cryptosystems (RSA, DSA, and ECDSA) can fail catastrophically when used with insufficient randomness.
These vulnerabilities are an implementation issue, and they predominately affect certain types of networked devices that automatically generate cryptographic keys on first boot.
There are several precautions that device manufacturers and developers can take to prevent weak keys. These include avoiding default certificates and keys, seeding entropy at the factory, ensuring that diverse entropy sources are available to OS random number generators, testing cryptographic randomness, and using hardware random number generators. We encourage you to read our extended research paper which describes how these problems arise and provides specific recommendations in Section 7: Defenses and Lessons.