Discovery of Weak RSA Keys with Patterns of Zeros Raises Security Concerns

Researchers have identified a new class of weak RSA keys in the wild, characterized by patterns of zeros. These keys were discovered through the badkeys project, which analyzes public keys for vulnerabilities. The affected keys were found in certificates from large organizations like Yahoo and Verizon, as well as on CompleteFTP software for SSH hosts. The vulnerability impacts RSA keys generated between December 2016 and March 2019 and DSA keys generated until December 2023. While the overall number of affected systems is small, the findings indicate a troubling trend in cryptographic implementations. The research emphasizes the need for tailored cryptanalytic approaches to mitigate potential exploitation. The affected organizations have been notified about the vulnerabilities in their expired certificates.

Key Points: • A new class of weak RSA keys with patterns of zeros has been discovered. • The vulnerability affects RSA and DSA keys generated between 2016 and 2023. • Affected organizations include Yahoo, Verizon, and users of CompleteFTP software.