Source linked

Sparse RSA Moduli Found in the Wild: Yahoo, Verizon, and CompleteFTP at Risk

schneier.com@threat_watch3 hours ago·Cybersecurity·1 comments

Researchers uncovered thousands of RSA keys with suspicious zero patterns in TLS certificates and SSH hosts, including keys from Yahoo, Verizon, and CompleteFTP software spanning 2016-2023.

rsabadkeys projectcompleteftpenterprisedtyahooverizon

Over 10,000 RSA public keys out in the wild contain long, regularly spaced blocks of zeros—making them trivially factorable. Hanno Böck and the Badkeys project found them by sifting through millions of keys scraped from Certificate Transparency logs, TLS and SSH scans, PGP key servers, and more.

Pattern 1 is a sparse modulus with several zero blocks interleaved with random-looking data. It appeared in CT logs for certificates issued to Yahoo and Verizon, plus devices running NetApp software. Those certificates have already expired, so no immediate operational risk—but the question is why they were generated that way in the first place.

Pattern 2 Infects SSH Hosts for Years

Pattern 2 shows up on SSH hosts running EnterpriseDT’s CompleteFTP software. RSA keys generated by versions 10.0.0 through 12.0.0 (December 2016 to March 2019) are vulnerable; DSA keys generated by versions 10.0.0 through 23.0.4 (December 2016 to December 2023) are also affected. That’s a seven-year window for DSA keys.

CompleteFTP is niche, so only a small minority of internet hosts carry these keys. But the broader lesson is sharper: two independent cryptographic implementations (the one in CT certificates and the one in CompleteFTP) made the same mistake. If two did, more probably do.

Backdoor or Bug? Schneier Bets on Deliberate

Bruce Schneier doesn’t stop at “implementation error.” He points out that the failure pattern—regularly spaced zero blocks—is exactly what you’d expect from a backdoor inserted by a motivated agency. In 2013 he wrote about the possibility of governments coercing providers to weaken RSA key generation. The discovery of sparse moduli in two separate codebases makes that theory more plausible than coincidence.

What comes next: cryptanalysts should tailor factoring algorithms specifically for zero-heavy moduli. And every organization that ever shipped an RSA generator needs to audit its output against the Badkeys dataset—before someone else does the math for them.

Source: Factoring RSA Keys with Many Zeros
Domain: schneier.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
AWS CIRT Catalog Adds 5 New Attack Techniques - EKS Hijack, Root Assume, Org Takeover

Threat actors are abusing legitimate AWS features like sts:AssumeRoot and Kubernetes workload modifications. The June 2026 TTC update documents five new techniques and three updates, all observed in real incidents.

GitHub Advisory Database Hits 5x Volume - What Breaks When Vulnerability Reports Surge

1,560 reviewed advisories in May 2026, five times the normal monthly output, pushed review times from days to weeks - here's what GitHub's scaling up against

i_tree Crate Allowed Undefined Behavior Through Safe Public API

A safe public method in i_tree ≤0.9.x passed an arbitrary u32 index into Vec::get_unchecked without validation, letting callers trigger UB without writing any unsafe code.

HAProxy HPACK Null Pointer DoS: Patch Now, Over 20 Versions Affected

CVE-2026-55204 lets a remote attacker crash HAProxy via a crafted HPACK header; patches available for all supported versions.

Comments load interactively on the live page.