Mar 25, 2025

A security flaw in RSA encryption keys makes them easily compromised through a mathematical attack When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works . (Image credit: Getty Images) Millions of RSA encryption keys contain major flaws, making them vulnerable to attack, according to new research. Analysis from Keyfactor found around 1 in 172 of all certificates found online are susceptible to compromise through a mathematical attack, equating to potentially millions of keys. The vulnerability mainly affects Internet of Things (IoT) devices, but is a risk for any system using improperly generated RSA keys, or even other encryption schemes such as Elliptic-Curve Cryptography (ECC). "With modest resources, we were able to obtain hundreds of millions of RSA keys used to protect real-world traffic on the internet," said Keyfactor's Jonathan Kilgallin and Ross Vasko. "Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates using these keys can be compromised in a matter of days." Public key cryptography is used to securely transmit data to a remote source, with the RSA algorithm one of the most popular techniques. Data can be encrypted with the public portion of the remote source’s key, and then decrypted only by the private key at the other end. The security of RSA keys is based on two large prime numbers that are used to generate the public key. Get the ITPro. daily newsletter Sign up today and you will receive a free copy of our Focus Report 2025 - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. However, according to Keyfactor, this encryption can be cracked. The root of the problem is poor random number generation, with keys sharing prime factors with other keys. If two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD), allowing the private key to be completely reconstructed. "This is concerning, as a party with a re-derived private key for an SSL/TLS server certificate can impersonate that entity, and network clients attempting to connect to that endpoint cannot distinguish the attacker from the legitimate holder of the certificate," write Kilgallin and Vasco. Compromised RSA encryption keys could wreak havoc In the case of automobiles, medical implants, or other critical devices, for example, the impersonated service could cause the device to malfunction and cause physical harm. The researchers said that almost exactly half the compromised certificates they found contained the name of one particular large network equipment manufacturer - which they didn’t identify as they haven't been able to identify or notify all manufacturers. "This discovery highlights the need for continuous evaluation and improvement of our security infrastructure, particularly as IoT devices are increasingly ubiquitous," commented Javvad Malik, lead security awareness advocate at KnowBe4. RELATED WEBINAR