9.7% servers still exposed to FREAK attack

Mar 17, 2015 13:15 GMT  ·  By

As the percentage of servers susceptible to the FREAK (Factoring RSA Export Keys) attack is dropping, researchers have found that some of the weak export-grade RSA keys are repeated on the scanned TLS machines, one of them being reported from 28,394 different IP addresses.

In a study carried out by researchers at Royal Holloway, University of London, it was discovered that 2,215,504 hosts, out of the scanned 22,730,626 in the IPv4 space, relied on export-grade 512-bit RSA keys for creating a secure tunnel for the traffic exchanged with the clients.

VPN module in router relies on one RSA key on all devices

When the FREAK attack was disclosed earlier this month, keys of this length have been proven to be cracked in about seven hours using cloud technology that can be rented for approximately $100 / €94.

However, the researchers noticed that a great deal of RSA moduli repeated themselves, meaning that an attacker does not have to spend time and money to factor each and every modulus - the value reached by computing the two prime numbers selected for generating the public/private key pair.

“We observed 664,336 duplicate moduli in the set of 2,215,504 512-bit moduli obtained from our scanning. One single modulus was found 28,394 times, two further moduli arose more than 1,000 times each and a total of 1,176 moduli were seen 100 times or more each,” a paper authored by the researchers says.

The most frequently repeated modulus was found in the SSL VPN server module in a router from an undisclosed manufacturer.

Modulus repetition reduces factoring costs

The researchers say that this would greatly cut on the factoring costs of an attacker as its per-host breaking cost would be of $0.3, for the aforementioned $100 investment.

Furthermore, due to modulus repetition, it was possible to factor 90 moduli for 512-bit RSA keys of 294 different hosts in less than three minutes using a machine with eight 3.3Ghz Xeon cores and requiring less than 2GB of RAM.

This was achieved by computing the GCDs between all the pairs of the remaining 1,551,168 moduli with the Fastgcd software.

The experiment was conducted using the open-source network scanner zmap and computing power that can be obtained from different services without restriction.