Two researchers they succeeded with one online tool, of their own invention which they called Phuctor, to crack 6 4096-bit keys of the strongest encryption available by RSA.
The cryptosystem RSA uses a public key to encrypt the data from which a private (which should not be shared) for the purposes of decryption is created.
The public key consists of two values, and one of them is the product of the two largest prime numbers. If someone discovers her price she can determine the private key that corresponds to the public.
This basic principle makes RSA encryption very robust as it is quite difficult to identify the product of the two large first numbers.
The tool Phuctor is the result of the collaboration between Stanislav Datskovskiy and Mircea Popescu. Represents an RSA key of the factorization service that determines whether there is a common factor in the factors of two different public keys.
The tool uses the Euclidean algorithm to calculate the maximum common divisor of two large numbers, thus finding a common first number for the calculation of the private key.
To describe how powerful RSA encryption is, Popescu said in a blog post that one could "wait for the key to be calculated shortly before Elvis returns as Queen of England."
One of the keys that broke belongs to Peter H. Anvin (also known as the hPa on the internet) is a respected partner of the open source community, and is also one of the Linux core developers.
The key creation date is 22 September 2011, a date that is considered relatively recent by Popescu, although there is a chance it will no longer be used by its owner.
However, although the news sounds rather worrying, there is no error in the RSA encryption system, but how the keys are created.
Hanno Böck, a German independent journalist who last year analyzed server data that contained public keys. The researcher believed that he discovered a very high percentage of vulnerable keys. With a closer analysis, however, he discovered that the cases he encountered were actually defective keys.
Böck reported that anyone can load such a key on a server without any checks being made.
"However, these keys are not a threat to anyone. "The only case where this could be significant would be to use a broken application of the basic OpenPGP protocol that does not check if the subkeys really belong to the master key," he said.
He also added that the insertion of a damaged key into a local GnuPG installation can not be done as the attempt will be rejected because validation of the signature will not pass.
