This free tool is provided by Cryptosense, a start-up making software which helps companies find and fix security flaws in systems that use cryptography.
The Cryptosense Keytester accepts RSA public keys and tests for problems that would make them insecure. In particular, we test four things:
We email results of the Infineon bug test immediately. The other tests are applied as part of a weekly batch-GCD calculation, carried out every Monday. Results are emailed just afterwards.
The batch-GCD test requires us to spin up a large cloud instance and run some significant computation, so we only do it once a week. Email is a convenient way to manage result notification. Note that we don't block disposable email addresses or Gmail + variants etc. If we do factor your key, we will only inform you of the result, we won't send the factors or a private key in the email.
Any key generated by an Infineon chip containing the vulnerable RSA library code. This includes some TPMs, smartcards including electronic ID cards, and certain authentication tokens. Not all keylengths are affected, but common 1024 bit and 2048 bit keys are factorizable.
We apply the so-called "batch GCD" method using our implementation of Bernstein's Algorithms. This calculates the Greatest Common Divisor (GCD) of the test key and all the keys in our database. If the test key shares one of its prime factors with a key in our database, this allows the key to be factored.
We recently replicated the scans in these papers. In our results there are fewer factorable keys, but it's still a problem: 1 in 700 Internet-facing TLS keys and 1 in 10000 Internet-facing SSH keys were factored. This is about one third the proportion that were factorable in 2012. At the end of 2016, some of the original authors also replicated the work and found similar results.
From the information we have been able to obtain, most of the keys seem to be in embedded systems like network hardware and appliances. This is likely for the same reasons (bugs in entropy generation in "headless" systems) that were proposed in the Heninger et al. paper
If you submit your key to the free service, we keep it in our database and will email you in future if we ever break it. If you use the premium service, you can decide if you want to have your key kept in the database or not.
No: there are some "corner case" factorization algorithms we don't apply since they are extremely rare in production keys (though more common in CTFs), and although we update our blacklist regularly when new leaked keys are announced e.g. from reverse engineering attacks, someone may still be able to obtain your private key by other means.
Currently just over 23 Million, and growing.