On Wed, 10 Mar 2010 21:27:06 +0530, Udhay Shankar N <ud...@pobox.com> wrote: > Anyone know more? > > http://news.techworld.com/security/3214360/rsa-1024-bit-private-key-encryption-cracked/ > > RSA 1024-bit private key encryption cracked > Researchers find weakness in security system > > By Network World Staff | Network World US > Published: 13:26 GMT, 05 March 10 > > Three University of Michigan computer scientists say they have found a > way to exploit a weakness in RSA security technology used to protect > everything from media players to smartphones and ecommerce servers. > > RSA authentication is susceptible, they say, to changes in the voltage > supply to a private key holder. The researchers Andrea Pellegrini, > Valeria Bertacco and Todd Austin - outline their findings in a paper > titled Fault-based attack of RSA authentication to be presented 10 > March at the Design, Automation and Test in Europe conference. > > "The RSA algorithm gives security under the assumption that as long as > the private key is private, you can't break in unless you guess it. > We've shown that that's not true," said Valeria Bertacco, an associate > professor in the Department of Electrical Engineering and Computer > Science, in a statement. > > The RSA algorithm was introduced in a 1978 paper outlining the > public-key cryptosystem. The annual RSA security conference is being > held this week in San Francisco. > > While guessing the 1,000-plus digits of binary code in a private key > would take unfathomable hours, the researchers say that by varying > electric current to a secured computer using an inexpensive > purpose-built device they were able to stress out the computer and > figure out the 1,024-bit private key in about 100 hours all without > leaving a trace. > > The researchers in their paper outline how they made the attack on a > SPARC system running Linux. They also say they have come up with a > solution, which involves a cryptographic technique called salting that > involves randomly juggling a private key's digits. > > The research is funded by the National Science Foundation and the > Gigascale Systems Research Center.
Interesting, especially since I recently did a security assessment at a power company. From what I saw I suspect that one might be able to get to some of their servers in outlying areas that handle smart meters and apply techniques like this. Given that they were able to do 1024 in 100 hours, what might it take them to crack 2048 or 4096? Regards, Allen --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com