🟠 High | Source: Schneier on Security
Researchers have identified a new class of weak RSA keys characterised by an unusually high number of zero bits in the modulus, making them vulnerable to factorisation attacks. Analysis of real-world key datasets — including Certificate Transparency logs, TLS/SSH scans, and PGP keys — confirmed these vulnerable keys exist in production environments. If an attacker can factorise an RSA key, they can decrypt communications or forge signatures protected by that key.
Security Architect’s Take: Run your organisation’s public RSA keys through the badkeys tool to check for sparse moduli and other known weaknesses; prioritise any keys used in TLS certificates, SSH host keys, or code signing. Consider enforcing key generation through vetted, standards-compliant libraries and adding automated key-quality checks to your certificate lifecycle management pipeline.
Original advisory: Factoring RSA Keys with Many Zeros