Security researchers describe newly discovered vulnerabilities in public key encryption

A team of four security researchers, including U-M Prof. J. Alex Halderman, grad students Zakir Durumeric and Eric Wustrow, and UC San Diego postdoctoral researcher Nadia Heninger have released new research findings on the security of public keys. The researchers have developed a tool that can remotely compromise about 0.4% of all keys used for SSL website security on the Internet in a few hours.

The team has come forward with a blog post regarding their findings in response to a New York Times article on related research that incorrectly suggests that the vulnerability poses a threat to the security of web-based commerce. According to the U-M/UCSD team, the security flaw largely affects various kinds of embedded devices, such as routers and VPN devices, rather than popular web sites. The research team is preparing to publish a paper on their findings once they have notified the manufacturers of vulnerable devices.

Read the team’s blog post at Freedom-to-Tinker

The issue is also under discussion on Slashdot.

Additional news:

ThreatPost, Feb 15: Weak RSA Keys Plague Embedded Devices, But Experts Caution Against Panic

ARS Technica, Feb 15: Crypto shocker: four of every 1,000 public keys provide no security

BoingBoing, Feb. 16: Prime Suspect, or Random Acts of Keyness

Benlog, Feb, 16: It’s the Randomness, Stupid