Search for vulnerable servers unearths weak, thousands-times repeated RSA keys

A group of researchers from the Information Security Group from Royal Holloway, University of London, wanted to see how many TLS servers still supported the weak, export-grade (512-bit) RSA public keys a week after the public disclosure of the FREAK flaw.

On March 3, the number of vulnerable HTTPS servers reached around 26 percent of the total. A week later less than 10 percent of them did.

The researchers used the ZMap open source network scanner to scan the complete IPv4 address space, and it took them 8 hours to do it due to their code’s limitations.

Aside from the vulnerable servers, they also found that some of these weal keys are repeated with high frequency.

“We observed 664,336 duplicate moduli in the set of 2,215,504 512-bit moduli obtained from our scanning. One single modulus was found 28,394 times, two further moduli arose more than 1,000 times each and a total of 1,176 moduli were seen 100 times or more each. We did not investigate the high replication rate of these moduli, except for the modulus occurring 28,394 times which corresponds to a router with an SSL VPN module,” they pointed out.

“These repeated moduli would be attractive targets for direct factoring. For example, spending $100 on factoring the most repeated modulus would enable a per-host breaking cost of only 0.3 cents for all the hosts using this modulus.”

“We also computed the pairwise gcds of all the export-grade RSA moduli that we found, leading to 90 factorisations. These moduli correspond to 294 different hosts. The computation took less than 3 minutes on an 8-core system, saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly,” they shared.