1 June 1998

Date: Mon, 01 Jun 1998 10:51:58 -0400
To: jy@jya.com
From: Ed Stone <estone@synernet.com>
Subject: Thawte Digital ID Process - More weak RSA 512-bit keys for
  S/MIME-apps

Thawte is a Certificate Authority headquartered in South Africa. Its Digital
ID database center is located in the Washington, DC area. Using the MSIE 4.0x
domestic US-high-security version from a Win95 machine, and getting a trial
certificate from them, one encounters a web page similar to the one at
VeriSign, but for those seeking MSIE S/MIME email certs, and connecting using 
the high-security MSIE browser, the key length that you may obtain is dispayed 
in a drop down box, with "1024 bits" selected.

Ah, a strong key. Select it, generate your key, and get your certificate. Now 
you have a strong, secure, long RSA 1024-bit asymmetric key protecting your 
email, right? Wrong. You selected 1024-bit key length, but without notice, the 
Thawte enrollment process generates an RSA 512-bit key on your local machine. 
Weak crypto.

It is clear that the current web-based enrollment process of Thawte and
VeriSign can lead some users of the MSIE high-security browser to unknowingly
generate weak keys.

For a description of the VeriSign process, see http://www.jya.com/vs-msie.htm

RSA 512-bit crypto is not recommended (by RSADSI) for use at this time even
for low to moderate security applications. See RSADSI's security estimate for
RSA 512-bit keys at

http://www.rsa.com/rsalabs/pubs/techreports/security_estimates.pdf.

Non-crypto-techie users of these keys may believe they have serious security,
when they do not. Those who seek to have S/MIME taken seriously should be
concerned about this failing. S/MIME advocates who are also proponents of
strong crypto will undoubtedly find this lapse of security unacceptable, and
make their concerns known.

--------------------------
Ed Stone
estone@synernet.com
--------------------------