Friday, January 8, 2010

768 bit RSA is Broken!

In today's electronic world nearly all sensitive electronic communication is protected by a process that we commonly know as encryption. To the common user, encryption means SSL and SSL is all there is. In reality, SSL is only one tool in the entire encryption toolkit, and encryption is only one part of cryptography.

When we peel back the layers of the onion, modern encryption is all about mathematical hard problems. Meaning, that the mathematical functions are easy to process one way and very difficult to process in the reverse without a specific piece of information. Take for example the RSA algorithm that has been protecting internet e-commerce for years and is the common algorithm used for the creation of nearly all digital certificates. At the very foundation, RSA is about dealing with two very large prime numbers. These two large prime numbers are multiplied together to create a new number. This new number is then used in the algorithm to encrypted your data. Now the mathematical hard problem is that given the new number it is very difficult to factor that new number down to the two original prime numbers that created it. Fundamentally all that is protecting your private data and your e-commerce transactions is a mathematical hard problem that is only “hard” until someone comes a long and finds a way around it.

On January 7th 2010, a group posted a white paper[1] discussing in detail how they have factored and effectively broken 768 bit RSA encryption. Now, there is no need to go jump off the Golden Gate bridge yet, most all of your banking transactions are currently using 1024 bit RSA or 2048 bit RSA keys. But understand that mathematical hard problems are only “hard” problems until someone finds a neat way of making it no longer a hard problem. If you would like some light reading, the white paper can be found here: http://eprint.iacr.org/2010/006.pdf

So the advice I would give is be careful and always use the latest encryption methods available. Further never trust people that will make blanket statements to the effect that you have nothing to worry about because it will take billions of years to crack the encryption and that the Sun will have already gone super nova.

[1] Factorization of a 768-bit RSA modulus version 1.0, January 7, 2010, http://eprint.iacr.org/2010/006.pdf