Full Report
Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1...
Analysis Summary
# Vulnerability: Weak RSA Key Generation (Sparse Moduli with High Zero-Density)
## CVE Details
- **CVE ID:** Not explicitly cited in the article (Research focuses on a class of implementation flaws).
- **CVSS Score:** High (Estimated 7.5 - 8.1 based on loss of confidentiality).
- **CWE:** CWE-310: Cryptographic Issues; CWE-330: Use of Insufficiently Random Values.
## Affected Systems
- **Products:**
- **EnterpriseDT CompleteFTP**: Specifically RSA and DSA key generation modules.
- **NetApp Software**: Referenced in relation to expired certificates.
- **Public Infrastructure**: Identified in certificates formerly used by Yahoo and Verizon.
- **Versions:**
- **CompleteFTP RSA Keys:** v10.0.0 through v12.0.0 (Dec 2016 – Mar 2019).
- **CompleteFTP DSA Keys:** v10.0.0 through v23.0.4 (Dec 2016 – Dec 2023).
- **Configurations:** Systems utilizing default or historical key generation libraries within the specified dates.
## Vulnerability Description
The flaw involves the generation of RSA moduli that are "sparse"—containing large, regularly spaced blocks of all-zero bits interleaved with random data. This structural regularity deviates from the expected randomness of prime product results ($n = p \times q$). Such patterns significantly reduce the search space for prime factors, allowing for the factorization of RSA keys using specialized polynomial-based cryptanalytic algorithms. The research suggests these failures occur due to bugs in underlying cryptographic libraries or potentially intentional "backdoor" designs that simplify decryption for those aware of the pattern.
## Exploitation
- **Status:** PoC available (via the "badkeys" project and Trail of Bits research); detected in the wild within Certificate Transparency (CT) logs and SSH scans.
- **Complexity:** Medium (Requires specialized knowledge of the specific sparse pattern to apply factoring algorithms).
- **Attack Vector:** Network (Passive observation of public keys followed by offline factorization).
## Impact
- **Confidentiality:** Total (Encryption can be broken if the private key is derived from the weak public modulus).
- **Integrity:** High (Ability to forge digital signatures or impersonate SSH hosts).
- **Availability:** Low (Direct impact limited to the revocation of compromised keys).
## Remediation
### Patches
- **CompleteFTP:** Users should upgrade to the latest version of CompleteFTP (v23.1.0 or higher) to ensure RSA and DSA keys are generated using a corrected entropy source and math library.
- **NetApp/Others:** Verify that all active certificates are generated with modern, patched libraries.
### Workarounds
- **Key Regeneration:** For affected software versions, generating new keys is insufficient if the software itself is not updated. The underlying software must be patched first, followed by the generation of entirely new key pairs.
- **Key Strength Migration:** Transition to Ed25519 (Edwards-curve Digital Signature Algorithm) for SSH, which is not susceptible to this specific RSA/DSA factoring flaw.
## Detection
- **Indicators of Compromise:** Observation of public keys containing long strings of hexadecimal zeros or repeating sparse patterns.
- **Detection Methods and Tools:**
- **badkeys:** Use the open-source **badkeys** tool to scan public keys against known weak patterns.
- **Manual Check:** Inspecting RSA moduli ($n$) in hexadecimal format for significant "00" block density.
## References
- Trail of Bits Research: hxxps://blog[.]trailofbits[.]com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/
- badkeys Project: hxxps://github[.]com/badkeys/badkeys (Reference based on tool description)
- Schneier on Security: hxxps://www[.]schneier[.]com/blog/archives/2026/06/factoring-rsa-keys-with-many-zeros[.]html