Who runs this service?

This free tool is provided by Cryptosense, a start-up making software which helps companies find and fix security flaws in systems that use cryptography.

What is this tool for?

The Cryptosense Keytester accepts RSA public keys and tests for problems that would make them insecure. In particular, we test four things:

  1. Presence of the Infineon RSA key generation vulnerability.
  2. Small factors that indicate a bug in key generation.
  3. Presence in a "blacklist" of keys for which the private key is well-known.
  4. Shared factors with one of the other keys in our database via a batch-GCD calculation.

We email results of the Infineon bug test immediately. The other tests are applied as part of a weekly batch-GCD calculation, carried out every Monday. Results are emailed just afterwards.

I'm concerned about privacy, why do you need my email address?

The batch-GCD test requires us to spin up a large cloud instance and run some significant computation, so we only do it once a week. Email is a convenient way to manage result notification. Note that we don't block disposable email addresses or Gmail + variants etc. If we do factor your key, we will only inform you of the result, we won't send the factors or a private key in the email.

Which RSA key formats do you accept?

We accept certificates and RSA public keys in OpenSSH, PKCS #1 or X509SUbjectPublicKey format.

How does the Infineon key generation vulnerability testing work?

Public keys generated by the vulnerable library have a distinctive fingerprint that can be tested for with a straightforward discrete log calculation (test code is available on Github). Full details of the vulnerability will appear here.

What kinds of keys are affected by the Infineon RSA key generation issue?

Any key generated by an Infineon chip containing the vulnerable RSA library code. This includes some TPMs, smartcards including electronic ID cards, and certain authentication tokens. Not all keylengths are affected, but common 1024 bit and 2048 bit keys are factorizable.

How does the batch GCD/shared factor testing work?

We apply the so-called "batch GCD" method using our implementation of Bernstein's Algorithms. This calculates the Greatest Common Divisor (GCD) of the test key and all the keys in our database. If the test key shares one of its prime factors with a key in our database, this allows the key to be factored.

You can read all about this testing method in a pair of academic papers from 2012.

So those papers factored thousands of Internet-facing keys in 2012 - is this still a problem?

We recently replicated the scans in these papers. In our results there are fewer factorable keys, but it's still a problem: 1 in 700 Internet-facing TLS keys and 1 in 10000 Internet-facing SSH keys were factored. This is about one third the proportion that were factorable in 2012. At the end of 2016, some of the original authors also replicated the work and found similar results.

What kind of keys can be factored by the batch-GCD method?

From the information we have been able to obtain, most of the keys seem to be in embedded systems like network hardware and appliances. This is likely for the same reasons (bugs in entropy generation in "headless" systems) that were proposed in the Heninger et al. paper

Is this service free?

It's free for your first 5 keys, and we run the batches once a week. To submit more keys and get a response in a few minutes, we offer a paid service with a web API. Get in touch for more details on this. You can see the API documentation here.

What happens to the keys I submit?

If you submit your key to the free service, we keep it in our database and will email you in future if we ever break it. If you use the premium service, you can decide if you want to have your key kept in the database or not.

If my key isn't broken by this service, does that mean it's 100% guaranteed secure?

No: there are some "corner case" factorization algorithms we don't apply since they are extremely rare in production keys (though more common in CTFs), and although we update our blacklist regularly when new leaked keys are announced e.g. from reverse engineering attacks, someone may still be able to obtain your private key by other means.

How many real, production keys are in your database?

Currently just over 23 Million, and growing.