key with suspicious pattern

1,023 views
Skip to first unread message

Hanno Böck

unread,
Dec 3, 2022, 2:48:45 PM12/3/22
to dev-secur...@mozilla.org
Hi,

I'm not entirely sure if this is the right place to discuss this, but
I also don't really know where else.

Do people have thoughts about suspicious keys like this?
https://crt.sh/?id=8093628131
(Have a look at the modulus / N value, it has a lot of zeros)

This key is certainly not securely generated. What I am wondering:
* What caused such a key to be created?
* Can it be broken?
* Anyone aware of any analysis or relevant research for keys with
suspicious patterns?
* Should CAs be under any obligation to detect and reject such keys?

(I am detecting such keys in badkeys by looking for 16 repeating bytes,
which I consider as practically impossible to happen by chance in a
proper key generation process.)

--
Hanno Böck
https://hboeck.de/

Matthew McPherrin

unread,
Dec 3, 2022, 8:29:40 PM12/3/22
to Hanno Böck, dev-secur...@mozilla.org
The certificate has been revoked and replaced by the subscriber.

The private key has been factored by remy_o, who says:

the modulus that be factored by considering it as a polynomial of base 2^160 and using standard algebra software

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20221203204840.1d25853a%40computer.

Matthew McPherrin

unread,
Dec 3, 2022, 8:31:52 PM12/3/22
to Hanno Böck, dev-secur...@mozilla.org
I was a little quick on sending my previous email.  The explanation is:

the modulus that be factored by considering it as a polynomial of base 2^160 and using standard algebra software.

one of the factors is 3*2^1022 + 3*2^518 + 5*2^344 + 3

Matthew Hardeman

unread,
Dec 3, 2022, 11:08:16 PM12/3/22
to Matthew McPherrin, Hanno Böck, dev-secur...@mozilla.org
Ugh.  This is going to wreck vanity public keys.
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsub...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0ZKWSwgEAV7TzX4T_1a_6TyXbUBg6YaOr8rtk45-K-ayw%40mail.gmail.com.

Corey Bonnell

unread,
Dec 15, 2022, 2:15:52 PM12/15/22
to Hanno Böck, dev-secur...@mozilla.org
In a related vein, I was playing around some time ago with generating RSA
keys that would contain "interesting" payloads in the modulus. An
example with Windows bind shellcode in the modulus, which when included in a
DER-encoded CSR, gets flagged by ClamAV:
https://gist.github.com/CBonnell/699b2c01121e07440e1cf42d0210eba1.

From a policy standpoint, the BRs already establish an obligation for CAs to
reject certificate requests that contain keys that are known to be weak,
compromised, or if there is "clear evidence" that the method of generation
was "flawed" (section 6.1.1.3). My interpretation of "flawed" in that
section is that there is some characteristic or other information conveyed
within the key (or certificate request as a whole) that would provide clear
evidence that the key is unsuitable for use. I don't think that there was
clear evidence in the case of the certificate that was previously linked to
indicate that the method of generation was flawed.

It would be useful to understand if the key in question was generated using
tooling that may be used for other keys so that similar weak keys can be
blocked (assuming that there is some shared trait in the public key that can
be flagged).

Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups
"dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dev-security-po...@mozilla.org.

Stephan Verbücheln

unread,
Dec 15, 2022, 4:37:27 PM12/15/22
to dev-secur...@mozilla.org
You can put anything into the public exponent without weakening the
modulus. Some time ago, it was popular to do it in a way that the
base64 representation displays a message. This should also be possible
with malicious bitstreams.

Regarding the key posted by Hanno:
My intuition tells me that if the product of two primes has a weak
pattern like that, then it means that each of the prime factors
probably has an even weaker pattern. (Or it is not a product of two
primes in the first place, which makes it even weaker.) However, I did
not test that hypothesis.

Regards
Stephan
signature.asc

wael wael

unread,
Jan 13, 2023, 12:49:03 PM1/13/23
to dev-secur...@mozilla.org, Stephan Verbücheln
Reply all
Reply to author
Forward
0 new messages