Researcher Ben Perez has written that it is time to stop using RSA[*] encryption. He goes into some of the problems with the algorithm and its supporting code bases, how bad they are, some of the mitigations, and then explains his conclusion. Curve25519 is being recommended instead.
RSA was an important milestone in the development of secure communications, but the last two decades of cryptographic research have rendered it obsolete. Elliptic curve algorithms for both key exchange and digital signatures were standardized back in 2005 and have since been integrated into intuitive and misuse-resistant libraries like libsodium. The fact that RSA is still in widespread use today indicates both a failure on the part of cryptographers for not adequately articulating the risks inherent in RSA, and also on the part of developers for overestimating their ability to deploy it successfully.
The security community needs to start thinking about this as a herd-immunity problem—while some of us might be able to navigate the extraordinarily dangerous process of setting up or implementing RSA, the exceptions signal to developers that it is in some way still advisable to use RSA. Despite the many caveats and warnings on StackExchange and Github READMEs, very few people believe that they are the ones who will mess up RSA, and so they proceed with reckless abandon. Ultimately, users will pay for this. This is why we all need to agree that it is flat out unacceptable to use RSA in 2019. No exceptions.
[*] RSA:
(Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of the factorization of the product of two large prime numbers, the "factoring problem". The acronym RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977.
However, many systems and hardware tokens are still hardcoded for RSA. So upgrading is not as easy a task as it could be.
Where have you been able to migrate from RSA? Where have there been obstacles?
Earlier on SN:
Mathematicians Seal Backdoor to Breaking RSA Encryption (2018)
Upgrade Your SSH Keys (2016)
512-bit RSA Keys Cracked in Four Hours for only $75 (2015)
NSA and RSA - Claims of More Evidence (2014)
(Score: 5, Insightful) by Anonymous Coward on Tuesday July 09 2019, @07:20PM (1 child)
The entire premise of this article seems to be because RSA is easier to implement, more people do it and therefore there are more bad implementations. It also mentions that RSA is slow so this encourages implementors to take shortcuts, leading to yet more bad implementations. This means developers are more likely to choose (or roll their own) vulnerable implementations.
On the other hand "moon math" (term used in TFA) elliptic-curve cryptography is harder to implement so there are fewer implementations. This means developers are more likely to choose good implementations.
The most egregious "bad implementation" examples presented in TFA is implementors generating keys with low entropy and failing to use modern padding schemes like OAEP.
But it's easy to implement elliptic-curve cryptography badly too, (such as generating the ECDSA per-message parameters with bad RNGs *cough*sony*cough*), so this argument seems kind of silly. If you can't convince someone to pick a reasonable implementation for a protocol they are already using how the hell are you going to convince them to pick a reasonable implementation for an entirely different protocol?
And let's not even start with interoperability issues, which are usually more important requirements than actual security concerns.
(Score: 5, Insightful) by ikanreed on Tuesday July 09 2019, @08:01PM
And it won't matter because while breaking your key is O(2000 years) breaking your dumbass users is O(free amazon gift card sign in here)