Sunday, March 14, 2010

RSA Encryption Broken

A recent Engadget article made popular through reddit.com and digg.com has (incorrectly) claimed that 1024-bit RSA encryption has been cracked and is no longer secure. I would like to reassure everyone that the RSA algorithm is indeed cryptographically secure, with the Engadget article nothing more than poorly researched journalism.

The research in question, titled Fault-Based Attack of RSA Authentication, actually describes how a private key can be recovered by injecting power faults into a system by manipulating a computer's voltage supply. Vulnerabilities found within both the OpenSSL implementation of RSA and circuit-level vulnerabilities in digital hardware devices have made the attack possible.

Attacks on the hardware and software surrounding private keys are nothing new, however. In 2008, researchers at Princeton University released a paper on the preservation and extraction of encryption keys from random access memory (RAM) through the use of a freezing process. Their research can be seen here.

Whilst interesting, the newly described research is far from world-ending. In order for this attack to be successfuly implemented, both physical access to the target machine and access to a large cluster of machines is required -- leaving this form of an attack with a very limited scope.

The Engadget author foolishly concludes his article by hoping "...RSA [will] hopefully fix the flaw".