Two researchers succeeded with an online tool of their own invention called Phuctor to crack 6 keys 4096-bit of the strongest encryption available by RSA.
The cryptosystem RSA uses a public key to encrypt the data, from which a private (which should not be shared) is created for the purpose of decryption.
The public key consists of two values, and one of these is the product of the two large prime numbers. If someone discovers this value, they can identify the private key that corresponds to the public.
This basic principle makes RSA encryption very robust as it is quite difficult to identify the product of the two large first numbers.
The tool Phuctor is the result of the collaboration between Stanislav Datskovskiy and Mircea Popescu. It represents a RSA key of the factorization service that determines whether there is a common factor in the coefficients of two different public keys.
The tool uses the Euclidean algorithm to calculate the maximum common divisor of two large numbers, thus finding a common first number for the calculation of the private key.
To describe how powerful RSA encryption is, Popescu said in a blog post that one could "wait for the key to be calculated shortly before Elvis returns as Queen of England."
One of the keys that broke belongs to Peter H. Anvin (aka Internet and as hPa), is a respected contributor to the open-source community, and is also one of the developers of the Linux kernel.
Η date creation date of the key is September 22, 2011, a date considered relatively recent by Popescu, although there is a possibility that it is no longer in use by its owner.
However, although the news sounds rather worrying, there is no error in the RSA encryption system, but how the keys are created.
Hanno Böck, a German independent journalist who last year analyzed server data that contained public keys. The researcher believed that he discovered a very high percentage of vulnerable keys. With a closer analysis, however, he discovered that the cases he encountered were actually defective keys.
Böck reported that anyone can load such a key on a server without any checks being made.
"However, these keys are not a threat to anyone. "The only case where this could be significant would be to use a broken application of the basic OpenPGP protocol that does not check if the subkeys really belong to the master key," he said.
He also added that the insertion of a damaged key into a local GnuPG installation can not be done as the attempt will be rejected because validation of the signature will not pass.
