1

I know they're deprecated, but does anyone still use 1024 bit RSA encryption or certificates? Do you know of any examples of systems that use it today? What would be the implication if someone factored RSA-1024?

Elliot Gorokhovsky
  • 496
  • 3
  • 12
  • Well if you factor a deployed 1024-bit modulus, you can impersonate those servers and if they use RSA as key-exchange you can read the whole traffic. Factoring 1024-bit moduli may be possible for nations. – SEJPM May 23 '15 at 20:27
  • samples of still valid 1024-moduli: Equifax CA certificates in firefox/thunderbird. – SEJPM May 23 '15 at 20:31
  • 1
    This link seems somewhat relevant: http://www.entrust.com/root-certificates-1024-bit-rsa-keys-removed/ – paj28 May 23 '15 at 21:43
  • @paj28 Link dead. It was archived by [Wayback Machine](https://web.archive.org/web/20160306131746/http://www.entrust.com/root-certificates-1024-bit-rsa-keys-removed/). – Franklin Yu Apr 29 '18 at 23:30

1 Answers1

2

Well I pretty much answered the question already in the comments but now I'll do it as fully qualified answer.

Yes, 1024-bit RSA moduli are still in use. The samples I could quickly find are the Equifax CA certificates in Firefox. Those will be removed soon.

What would happen if someone factored any of these moduli?
Really bad things.
If you factor any of these certificates you can impersonate a widely trusted CA. This means you can issue valid certificates that will be widely accepted. The only defenses are DANE (not widely deployed yet) and certificate pinning (not possible to be widely deployed).
More practically this would mean, that you could impersonate any given server on the web (provided you can forward DNS requests to your server), as you can issue (EV?-)certificates on any site like maybe google.com, amazon.com, paypal.com, security.stackexchange.com, ... Even further you may be able to issue code-signing (EV?-)certificates, which would enable you to digitally sign malware, so that it can be installed as kernel-mode driver in Windows!

If you don't attack those CA's certificates but rather "normal" server's certificates you can easily decrypt any traffic that uses the RSA as key-exchange algorithm and you can start active man-in-the-middle attacks against those servers and easily read any traffic even if (EC-)diffie-hellman key exchange is used!

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • But don't browsers reject 1024 bit certificates? If not, why not? – Elliot Gorokhovsky May 23 '15 at 21:14
  • obviously they don't as the mentioned certs are in the trust-store and you can use them to sign 2048-bit+ certs. And they *maybe* will after having phased out all 1024-bit CA certs (phase 2/3 at firefox as of now). And they don't need to reject 1024 because (all?) CAs already banned 1024-bit and require 2048-bit. And if they'd continue to accept 1024 those CAs wouldn't be trusted any longer... – SEJPM May 23 '15 at 21:17