Sunday, December 22, 2013

RSA encryption and IntelliJ's 128-bit RSA keys

With the recent press about the NSA's attempts to introduce backdoors into the RSA algorithm and a research paper about how GnuPG encryption keys could be derived from acoustic analysis, I decided to refresh my understanding of how the encryption algorithm works. One of the best intros is located here, and while it doesn't cover the advanced topics of Fermat's Little Theorem, Extended Euclidean Algorithm, or the Chinese Remainder Theorem, it does show it works in basic mathematical terms.

I also noticed that the license keys for IntelliJ's JetBrains products are only using 128-bit RSA encryption keys (updated previously from 256-bits to reflect the right size). The reverse engineering work to figure out how they are generated shows how 128-bit keys can be easily factored and the private key derived from the public key and modulus. Since many of IntelliJ's products are built in Java/Swing, the developers must have known that the bytecode could easily be decompiled. Why would they introduce such weak encryption?   Given that RSA algorithms are license-free, the most plausible explanation to me seems export-related. If they were to use stronger encryption keys, they would be subject to export reviews.

No comments:

Post a Comment