PANIC! RSA keys are compromised!
CALM DOWN: It's only big, BAD keys, so you can relax
Just as quickly as a panic emerged about vulnerable 4096-bit RSA keys, it's been defused.
The discussion started with this brief post at Loper-OS, with the headline claim that: “I am pleased to announce that we have now broken a 4096-bit RSA key, as well as its factor-sharing counterpart (yet to be determined, but won’t wait for long!)”.
The claim was based on use of a service the Loper-OS and Mircea Popescu operate called Phunctor, which they describe as an “RSA Supercollider”.
Phunctor looks for duplicated moduli in public PGP key servers, because duplicates indicate such things as “both keys were generated on a system with a thoroughly-broken entropy source, or if a particular PGP implementation has been back-doored.”
In other words, an RSA collision is bad news, and a collision on 4096-bit keys would be very bad news.
So far, so good, but according to a rebuttal post from Hanno Böck, a German freelance IT journalist, the collisions are occurring not on usable keys, but on corrupted keys that have been uploaded to the GPG public key servers.
As Böck notes, public PGP key servers are meant to be additive: you can revoke a key, but not delete it. That means, among other things, that any “bad key” on the PGP servers stays there.
As well as broken implementations, he says, bad keys could also come from “network errors, hard disk failures or software bugs. It may also be that someone just created them in some experiment.”
He reckons that what Stanislav at Loper-os and Popescu have found are just such keys. As an example, he cites two subkeys of bda06085493bace4 – one, which would fail the Phunctor test, is divisible by 3 and therefore easily factored.
The vulnerable key, he says, is “just a copy of [the good key] with errors”.
“If you try to fetch this faulty sub key from a key server GnuPG will just refuse to import it. The reason is that every sub key has a signature that proofs that it belongs to a certain master key. For those faulty keys this signature is obviously wrong,” Böck notes. ®