A survey of ~20 million public keys (from TLS certificates, SSH server keys, Github and Gitlab users, and DNSKEYs).
An innovative technique compared to other commercial and open-source scanning software: downgrade TLS and SSH scanners to older protocol versions to find older keys alongside newer ones. (For example, a TLS server might offer an EC cert+key to TLS 1.2/1.3 clients, but an RSA key to clients that can only do TLS 1.0.)
Some notable findings:
- Debian weak keys (generated in 2006-2008) are still in use, including by highly active users on Github and Gitlab
- 512-bit and 1024-bit RSA keys are still in use, including their use as DNSKEYs for prominent companies and government agencies
- RSA keys generated by older versions of Putty and OpenSSH are easily distinguishable by their exponents; if a vulnerability in one of those implementations were discovered (similar to the recent https://cert.europa.eu/publications/security-advisories/2024...), it would be easy to find a very large number of vulnerable keys to target.
Good news:
- Unlike earlier research from 2012-2016, none of the RSA keys could be easily factored into large primes. (Other than Debian weak keys.)
- Certificate Transparency appears to be doing a good job of motivating reputable CAs to scrutinize the cryptographic material in the certificates they sign. No cryptographic weaknesses were identified in any of the keys in millions of recent CT-logged certificates.
An innovative technique compared to other commercial and open-source scanning software: downgrade TLS and SSH scanners to older protocol versions to find older keys alongside newer ones. (For example, a TLS server might offer an EC cert+key to TLS 1.2/1.3 clients, but an RSA key to clients that can only do TLS 1.0.)
Some notable findings:
- Debian weak keys (generated in 2006-2008) are still in use, including by highly active users on Github and Gitlab
- 512-bit and 1024-bit RSA keys are still in use, including their use as DNSKEYs for prominent companies and government agencies
- RSA keys generated by older versions of Putty and OpenSSH are easily distinguishable by their exponents; if a vulnerability in one of those implementations were discovered (similar to the recent https://cert.europa.eu/publications/security-advisories/2024...), it would be easy to find a very large number of vulnerable keys to target.
Good news:
- Unlike earlier research from 2012-2016, none of the RSA keys could be easily factored into large primes. (Other than Debian weak keys.)
- Certificate Transparency appears to be doing a good job of motivating reputable CAs to scrutinize the cryptographic material in the certificates they sign. No cryptographic weaknesses were identified in any of the keys in millions of recent CT-logged certificates.