Researchers Break Thousands of RSA Keys

[Sportman]

The (Almost) Secret Algorithm Researchers Used to Break Thousands of RSA Keys:
https://algorithmsoup.wordpress.com/...rt-1-the-hack/

[xcrh]

At the end of day that's what you get for not so random random I guess. It can get worse. Say, Debian operating system eventually applied small "harmless" patch to openssl library, openssl devs even acknowledged it as "harmless". Ironically it proven to be not so harmless, killing off a lot of entropy during key generation and bringing whole set of possible RSA keys to just several thousands or so. At which point attacker can simply generate all possible RSA keys and brute force which of these would actually work. As the result, thousands of systems faced break-ins via SSH (while SSH protocol isn't TLS or SSL, openssh used openssl to process keys, so generated keys suffered from very same problem) - and it has been a full scale "emergency" for hosting providers and somesuch.

There're also some attacks on e.g. embedded systems like wi-fi routers, abusing the fact embedded systems often lack good entropy sources and therefore their generated keys and so on could be less random than desirable, jeopardising otherwise secure cryptography.

I'd say crypto is extremely unforgiving to shortcuts, careless coding and lack of attention to small details. Touching inner working of crypto algo takes full understanding of underlying math, possible cryptanalisys, and a very decent understanding of how hardware works. That's why most mortals shouldn't try to "improve" crypto algos, unless they understand all of that. Which is very challenging. As concrete example, AES on its own looks more or less secure as for now. However, if careless implementation is used, attacker can, say, measure run time of algo and its part - so it would turn rather insecure overall, up to ability to reconstruct key. That's one of reason why recent encryption algos are generally moving away from array operations (=memory access, subject to cache effects and related timing issues) in favor of math-only operations that do not access memory, ensuring algo completes in constant time, regardless of input. Salsa/chacha design is a good illustration.