Researchers at the University of Michigan have achieved a tech-marvel by moving a step further in cracking RSA. The seemingly secure; public key encryption algorithm was last cracked on 7th January, 2010. The encryption in the last crack was 768 bit but this time, the crack is on a 1024 bit encryption.
What is RSA?
In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography[1]. It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.
How was the crack achieved?
The RSA crack this time, was achieved by Valeria Bertacco, Todd Austin and Andrea Pellegrini. They varied the voltage levels at the sender end to make faulty encryptions. This helped them recreate the private key by combining a number of fragments, achieved in the process. The complete operation took 100 hours. A quote from the research paper says,
first, we develop a systematic fault-based attack on the modular exponentiation algorithm for RSA. Second, we expose and exploit a severe flaw on the implementation of the RSA signature algorithm on OpenSSL, a widely used package for SSL encryption and authentication. Third, we report on the first physical demonstration of a fault-based security attack of a complete microprocessor system running unmodified production software: we attack the original OpenSSL authentication library running on a SPARC Linux system implemented on FPGA, and extract the system’s 1024-bit RSA private key in approximately 100 hours.
Why is this important?
The RSA encryption was believed to be quite safe and this level of a crack was not achieved, until now. The methods used here are pretty low level and have given results in 100 hours. The crack which was assumed to take a lifetime with bruteforce, has taken a mere four days. This breaks the very backbone of RSA which believes that as long as the private key is safe, it is impossible to break in, unless guessed.
How will it affect me?
RSA is used in most of the secure connections online ranging from e-commerce to login operations. The length of the key determines the level of security. But this crack is independent of the length of the key. Also, the method is crude and easy to implement.
As a response to this crack, Some changes in the RSA implementation are imminent. Till then, let’s just hope we are secure.