Practical security of RSA keys over Internet

A very important research paper has been just published on eprint — wide analysis of practical security of RSA keys found in the wild. It shows that implementation or usage issues resulting in weak keys are much more widespread than previously expected. Ron was wrong, Whit is right

Authors: Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung, Christophe Wachter

Abstract. We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that dierent random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting nding is that two out of every one thousand RSA moduli that we collected oer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for multiple-secrets cryptosystems such as RSA is signicantly riskier than for single-secret ones such as ElGamal or (EC)DSA which are based on Diffe-Hellman