Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

A team of researchers has announced a new record in factoring large numbers and calculating discrete logarithms. The researchers factored the RSA-240 number on hardware of the Grid’5000 project, a collaboration of French research institutes. At the same time, the researchers have calculated a discrete logarithm of the same size.

The hardness of factoring and of calculating discrete logarithms is relevant for the security of many public key algorithms, notably RSA (factoring) and Diffie-Hellman (discrete logarithms). The RSA numbers were published as a contest by RSA, Inc. in 1991. Although the contest officially ended in 2007, researchers are still trying to complete the challenges. RSA-240 is 795 bits long. The last RSA number with 768 bits was broken in 2009.

The new result was made possible not only due to faster hardware, but also because improvements made the algorithm faster. The CADO-NFS software that the researchers used is publicly available under a free license.

Although RSA relies on factoring, these results are unlikely to cause any harm for modern RSA implementations. Warnings about the use of short RSA keys have been around for a long time. In 2003, cryptographers Eran Tromer and Adi Shamir published a hypothetical design for a device called TWIRL that would be able to break 1,024-bit RSA keys. No such breakage has been demonstrated in public, but it is often assumed that 1,024-bit keys can be broken by a very powerful attacker.

Modern RSA implementations usually use a minimum key size of 2,048 bits. This is also the most common key size in the TLS ecosystem; smaller keys are not issued by certificate authorities because it is forbidden by the Baseline Requirements. These keys are unlikely ever to be broken on normal hardware. Only quantum computers are realistically a threat for RSA with the current key sizes.

Short news

• OpenSSL fixed a low-severity security vulnerability in the 512-bit exponentiation. Version 1.0.2u contains a fix. For version 1.1.1, no fixed release has been created yet.
• NSS 3.48 has been released. It enables TLS 1.3 by default.
• Sectigo has issued certificates with Sectigo-related branding in the organization unit (OU) attribute, which violates the Baseline Requirements.
• The Facebook Tor onion service, accessible at facebookcorewwwi.onion, was unavailable for some time. According to Facebook’s announcement, the downtime was due to issues with renewal of the dot onion certificate.
• In a blog post, Troy Hunt explains some background of a web project called Why No HTTPS? that he runs together with Scott Helme. It lists popular websites that don’t use HTTPS by default.
• Thomas Pornin discusses Linux random number generation in a blog post. The post generated some discussion, and the comments at Hacker News include an answer by Kernel developer Theodore Ts'o.
• The company Keyfactor has published information about the prevalence of shared prime factors in RSA keys, a problem that can arise due to bad random number generators.
• The EFF has announced version 1.0 of Certbot, an implementation of the ACME protocol.
• Google has published statistics and information about the TLS use of Android apps.
• Cisco has issued an advisory that self-signed certificates in devices running Cisco IOS will expire on January 1, 2020.
• A study measured the prevalence of TLS 1.3, coming to the conclusion that it already has relatively high deployment, but this is largely due to a few big players.
• Mozilla has announced a new version of its CA root store policy that will be in effect starting in January 2020.
• Mozilla announced that NextDNS will be their second partner after Cloudflare offering DNS-over-HTTPS.
• The 36th Chaos Communication Congress (36C3) had several talks on cryptographic topics, including a presentation on Isogeny Cryptography and one on high assurance crypto software.
• Microsoft added experimental TLS 1.3 support in the latest update of Windows 10.
• Jean-Philippe Aumasson published a paper arguing that in most symmetric crypto algorithms it would be possible to reduce the number of rounds and thus making the algorithm faster without significantly lowering security.