Computer scientists win Best Paper Award at 21st USENIX Security Symposium

Wustrow, Halderman, and Durumeric Enlarge
Wustrow, Halderman, and Durumeric

A team of computer science security researchers including U-M graduate students Zakir Durumeric and Eric Wustrow, Professor J. Alex Halderman, and UC San Diego postdoctoral researcher Nadia Heninger have won the Best Paper Award at the 21st USENIX Security Symposium, which took place August 8 – 10, 2012 in Bellevue, WA.

The paper, entitled “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” details a large-scale study of RSA and DSA cryptographic keys in use on the Internet and findings that a significant numbers of keys are insecure due to insufficient randomness. These keys are being used to secure TLS (HTTPS) and SSH connections for hundreds of thousands of hosts.

Amongst the findings, the researchers state that:

  • They found that 5.57% of TLS hosts and 9.60% of SSH hosts share public keys in an apparently vulnerable manner, due to either insufficient randomness during key generation or device default keys.
  • They were able to remotely obtain the RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts because their public keys shared nontrivial common factors due to poor randomness.
  • They were able to remotely obtain the DSA private keys for 1.03% of SSH hosts due to repeated signature randomness.

According to the researchers, the security flaw largely affects headless and embedded network devices, such as routers, firewalls, and server management cards. These types of devices often generate keys automatically on first boot, and lack many of the physical sources of randomness used by traditional PCs to generate random numbers. They identified apparently vulnerable devices and software from 54 manufacturers and notified those companies about the problems.

Prof. Halderman received his Ph.D. in Computer Science from Princeton in 2009 and joined the faculty at Michigan the same year. He is a noted security expert whose research spans applied computer security and tech-centric public policy. His research projects have dealt with electronic voting, software security, data privacy, anticensorship, digital rights management, and cybercrime. He has taught EECS 588, Computer and Network Security, and EECS 398, Introduction to Computer Security. In Fall 2012, he will teach Securing Digital Democracy, a massive open online course through Coursera.