In association with heise online

« previous 1 2 3 4 5 6 next »

  1. Good numbers, bad numbers
  2. Asymmetric and symmetric keys
  3. Diffie-Hellman method
  4. Digital signatures and certificates
  5. Browsers and servers
  6. Conclusion

Asymmetric keys

To create asymmetric RSA, DSA and ECC keys, OpenSSL uses its own function to generate random numbers. As a result, all of the key pairs created by a defective version of OpenSSL are weak and hence easy to crack. Attackers can quickly generate complete lists of all possible key pairs and compare the results to known public keys. The OpenSSH and OpenSSL blacklists published by the Debian project and Metasploit were created in this way. They contain the hashes of all public keys calculated in this manner, and it is relatively easy to compare them to a public key to be tested.

Generating RSA keys
Zoom RSA keys are generally based on a specific exponent, which makes the guessing game easier when weak random numbers are used

However, a separate list has to be created for each set of key generating parameters (for instance, the key length and public exponent for RSA). OpenSSH also uses the OpenSSL library, but it uses a different public exponent – 35 – than OpenSSL does in the standard setting for keys – 65537. OpenSSH blacklists therefore cannot be used to check RSA keys generated with OpenSSL.

Symmetric keys

Symmetric methods are generally not used alone because key management is too difficult with these algorithms. Instead, symmetric algorithms are generally used as building blocks along with other cryptographic methods; they play a major role in hybrid methods for the encryption of actual session data.

Hybrid methods
Zoom Hybrid methods combine the best of asymmetric and symmetric encryption algorithms

Random numbers also play a role in the generation of symmetric keys. In the hybrid method, a communication partner generates a random symmetric key, which is then encrypted with the partner's public key and sent along with the data to be protected. The recipient can then decrypt the symmetric key with his own private key. S/MIME and PGP both work in this fashion. Another way to specify a symmetric key is a key-exchange protocol, such as Diffie-Hellman (DH), which is especially common in online protocols.

« previous 1 2 3 4 5 6 next »

Print Version | Permalink: http://h-online.com/-746211
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 
The H Open Headlines
    • July's Community Calendar

            The H

            The H Open

            The H Security

            The H Developer

            The H Internet Toolkit