Introduction

RSABias is a web presentation of research focused on bias in RSA keys. It contains examples of practical bias usage for estimating an origin of RSA keys in large IPv4 certificates scans and classification of few keys from user.

Try our online classification tool with your own public RSA keys and look, what are possible source, that could generate the keys.

If you would like to know more, go to the Q&A section or visit web pages of original research:

Continuous monitoring

We continuously monitor the popularity of cryptographic libraries from large scans done by Rapid7 and from Certificate Transparency Rocketeer log.

Online classification

Morphology of your RSA public keys

You insert ... keys
Where was/were your key/s generated?
Insert 5 test keys generated by:

Morphology of your RSA public keys

RSA public keys

Most probable source/s

Results accuracy

Negative results

Morphology of your RSA public keys

Results for each key separately

We think that your separate key(s) were generated by (sorted from the most probable)

Result for same source (all inserted keys are assumed to be generated by the same source)
List of known sources
Group name Sources

Q&A section

Q: So what did you do?

A: Figured out that RSA public key is leaking info about a library which created it. So we can tell which library you used for your key - based on public key only.

Q: Is single key enough to identify source library?

A: Sometimes yes, but mostly no. If you have 5 keys from the same source, it will be quite accurate. Just press Classify button above.

Q: Can I mutually distinguish all libraries?

A: Not always. Source libraries introducing exactly same bias to the value of generated public moduli will be undistinguishable.

Q: Can I identify also the version of used library?

A: Sometimes. The new version of a library that did not change source code of key generation method will not be distinguishable from the older one. E.g., OpenSSL 1.0.2f is not distinguishable from OpenSSL 1.0.2g, but OpenSSL 1.0.2g is distinguishable from OpenSSL 2.0.12 FIPS.

Q: Have you tested all libraries of the world?

A: No. We test a lot of them, but not all. We also did not test all possible version of given library. We are also missing hardware sources like SSL accelerators (contact us please, if you have one and like to contribute).

Q: How quickly will be the information leakage vulnerability you found fixed?

A: Probably not soon. The fix would require changing code of key generation method for the most libraries. And developers don't like to mess with that part of crypto too often. Even if fixed in the new version, lot of old legacy libraries will use for a long time.

Q: So how can I protect my key(s)?

A: If you need just one key, it is easy - just generate 5 keys instead of one, let all to be classified by our tool and then keep the one which is classified with the least accuracy. If you need more keys to keep, it is slightly more tricky, but still can be done (with more keys generated and discarded).

Q: Are data you gathered and used publicly available?

A: Definitely! Download everything in datasets section and try own analysis. Please don't forget to cite us.

Q: I want to know more details!

A: Great, then read original paper and technical report for even more details.

Known sources of RSA keys

We present the list of all known sources of RSA keys we have gathered. We separate them into distinct groups with similar or the same properties with a short description of their bias. Each source contains heatmap of keys primes, type of the origin, number of gathered keys, and link to the dataset with raw keys. Besides software libraries, we also mention versions of the software, we used, because sometimes the maintainers decide to change the key generation algorithm (as you can see on Bouncy Castle or mbedTLS source).

Group I

Smart card with fixed top four bits of primes. Bias also on the second least significant bit is present.

G&D SmartCafe 3.2
G&D SmartCafe 3.2 - Heatmap

G&D SmartCafe 3.2 - MSB Histogram

Card
Number of keys: 219,826
Raw keys: Link

Group II

Smart card with fixed top four bits of primes (different fixed values against other G&D smart cards). Biased modulus mod 3 and 4.

G&D StarSign
G&D StarSign - Heatmap

G&D StarSign - MSB Histogram

Card
Number of keys: 1,063,854
Raw keys: Link

Group III

Primes from whole possible range, but with non-uniform distribution of prime q. Biased modulus mod 4.

GNU Crypto
GNU Crypto - Heatmap

GNU Crypto - MSB Histogram

Software library
Tested versions: 2.0.1
Number of keys: 2,772,000
Raw keys: Link

Group IV

Gaussian distribution of primes without bias on modulus mod 3 or 4.

Gemalto GXP E64
Gemalto GXP E64 - Heatmap

Gemalto GXP E64 - MSB Histogram

Card
Number of keys: 250,000
Raw keys: Link

Group V

Special vulnerable implementation by Infineon. More about the vulnerability can be found in ROCA paper of CRoCS laboratory and on official pages of Yubico.

Infineon JTOP 80K
Infineon JTOP 80K - Heatmap

Infineon JTOP 80K - MSB Histogram

Card
Number of keys: 3,050,000
Raw keys: Link
YubiKey 4

We have only public keys from this source.


YubiKey 4 - MSB Histogram

Card
Number of keys: 41,671
Raw keys: Link
YubiKey 4 Nano

We have only public keys from this source.


YubiKey 4 Nano - MSB Histogram

Card
Number of keys: 23,284
Raw keys: Link

Group VI

Primes have top two bits set to one. Biased also in modulus mod 4.

Oberthur Cosmo Dual 72K
Oberthur Cosmo Dual 72K - Heatmap

Oberthur Cosmo Dual 72K - MSB Histogram

Card
Number of keys: 302,773
Raw keys: Link

Group VII

The most popular source in IPv4 TLS certificates scans. Special fingerprint on p-1 and q-1 values, but for classification we use only bias observed on modulus mod 3 and the second most significant bit.

OpenSSL
OpenSSL - Heatmap

OpenSSL - MSB Histogram

Software library
Tested versions: 0.9.7, 1.0.2e, 1.0.2g, 1.0.2k, 1.1.0e
Number of keys: 13,860,000
Raw keys: Link

Group VIII

Only the one source that do not restrict modulus size and generates also smaller keys.

PGP SDK 4 FIPS
PGP SDK 4 FIPS - Heatmap

PGP SDK 4 FIPS - MSB Histogram

Software library
Number of keys: 2,746,878
Raw keys: Link

Group IX

Source similar to group XVII but with slightly biased modulus mod 3.

Taisys SIMoME VAULT
Taisys SIMoME VAULT - Heatmap

Taisys SIMoME VAULT - MSB Histogram

Card
Number of keys: 150,177
Raw keys: Link

Group X

Randomly generated prime p, but biased prime q.

Utimaco Security Server Se50
Utimaco Security Server Se50 - Heatmap

Utimaco Security Server Se50 - MSB Histogram

Software library
Number of keys: 2,000,000
Raw keys: Link

Group XI

Fixed top four bits of primes and bias in modulus mod 3 and also mod 4.

G&D SmartCafe 4.x
G&D SmartCafe 4.x - Heatmap

G&D SmartCafe 4.x - MSB Histogram

Card
Number of keys: 2,125,779
Raw keys: Link
G&D SmartCafe 6.0
G&D SmartCafe 6.0 - Heatmap

G&D SmartCafe 6.0 - MSB Histogram

Card
Number of keys: 286,727
Raw keys: Link

Group XII

Whole range of prime q is used and limited for prime p. Biased modulus mod 3 and 4.

NXP J2D081
NXP J2D081 - Heatmap

NXP J2D081 - MSB Histogram

Card
Number of keys: 2,437,010
Raw keys: Link
NXP J2E145G
NXP J2E145G - Heatmap

NXP J2E145G - MSB Histogram

Card
Number of keys: 250,000
Raw keys: Link

Group XIII

Sources similar to group XVI, but with biased modulus mod 4.

Sage Blum
Sage Blum - Heatmap

Sage Blum - MSB Histogram

Software library
Number of keys: 1,019,996
Raw keys: Link
Sage Provable
Sage Provable - Heatmap

Sage Provable - MSB Histogram

Software library
Number of keys: 1,019,997
Raw keys: Link

Group XIV

Special proprietary implementation with non-uniform and unique distribution of primes. Biased modulus mod 4.

NXP J2A080
NXP J2A080 - Heatmap

NXP J2A080 - MSB Histogram

Card
Number of keys: 3,050,000
Raw keys: Link
NXP J2A081
NXP J2A081 - Heatmap

NXP J2A081 - MSB Histogram

Card
Number of keys: 2,673,990
Raw keys: Link
NXP J3A081
NXP J3A081 - Heatmap

NXP J3A081 - MSB Histogram

Card
Number of keys: 3,040,413
Raw keys: Link
NXP JCOP 41 V2.2.1
NXP JCOP 41 V2.2.1 - Heatmap

NXP JCOP 41 V2.2.1 - MSB Histogram

Card
Number of keys: 1,043,640
Raw keys: Link

Group XV

Sources without biased modulus mod 3 or 4, but with slightly limited range of primes.

Bouncy Castle >=1.54
Bouncy Castle >=1.54 - Heatmap

Bouncy Castle >=1.54 - MSB Histogram

Software library
Tested versions: 1.54
Number of keys: 4,620,000
Raw keys: Link
Crypto++
Crypto++ - Heatmap

Crypto++ - MSB Histogram

Software library
Tested versions: 5.6.0, 5.6.3, 5.6.5
Number of keys: 9,240,000
Raw keys: Link
mbedTLS >=2.9.0
mbedTLS >=2.9.0 - Heatmap

mbedTLS >=2.9.0 - MSB Histogram

Software library
Tested versions: 2.9.0, 2.16.0
Number of keys: 1,000,000
Raw keys: Link
Microsoft CNG
Microsoft CNG - Heatmap

Microsoft CNG - MSB Histogram

Software library
Number of keys: 2,320,000
Raw keys: Link
Microsoft .NET
Microsoft .NET - Heatmap

Microsoft .NET - MSB Histogram

Software library
Number of keys: 2,036,180
Raw keys: Link
Microsoft CryptoAPI
Microsoft CryptoAPI - Heatmap

Microsoft CryptoAPI - MSB Histogram

Software library
Number of keys: 2,308,997
Raw keys: Link
Thales nShieldF3
Thales nShieldF3 - Heatmap

Thales nShieldF3 - MSB Histogram

Software library
Number of keys: 1,000,000
Raw keys: Link

Group XVI

Full range of primes used, condition only on the length of product modulus. Without bias on modulus mod 3 or 4. Sources Bouncy Castle <=1.53 and SunRsaSign have different distribution of primes but not enough for web classification (it will cause misclassification and lower accuracy), but for continuous monitoring of large datasets, they form separated group.

Bouncy Castle <=1.53
Bouncy Castle <=1.53 - Heatmap

Bouncy Castle <=1.53 - MSB Histogram

Software library
Tested versions: 1.53
Number of keys: 2,310,000
Raw keys: Link
Cryptix JCE
Cryptix JCE - Heatmap

Cryptix JCE - MSB Histogram

Software library
Tested versions: 20050328
Number of keys: 2,310,000
Raw keys: Link
FlexiProvider
FlexiProvider - Heatmap

FlexiProvider - MSB Histogram

Software library
Tested versions: 1.7p7
Number of keys: 2,310,000
Raw keys: Link
mbedTLS <=2.8.0
mbedTLS  <=2.8.0 - Heatmap

mbedTLS  <=2.8.0 - MSB Histogram

Software library
Tested versions: 0.10., 1.3.19, 2.2.1, 2.4.2
Number of keys: 11,550,000
Raw keys: Link
Nettle <=2.0
Nettle <=2.0 - Heatmap

Nettle <=2.0 - MSB Histogram

Software library
Tested versions: 2.0
Number of keys: 2,310,000
Raw keys: Link
PuTTY
PuTTY - Heatmap

PuTTY - MSB Histogram

Software library
Tested versions: 0.67
Number of keys: 1,000,000
Raw keys: Link
Sage
Sage - Heatmap

Sage - MSB Histogram

Software library
Number of keys: 2,040,000
Raw keys: Link
SunRsaSign
SunRsaSign - Heatmap

SunRsaSign - MSB Histogram

Software library
Number of keys: 2,310,000
Raw keys: Link

Group XVII

Top two bits of primes set to one. No bias in modulus mod 3 or 4.

Botan
Botan - Heatmap

Botan - MSB Histogram

Software library
Tested versions: 1.5.6, 1.11.29, 2.1.0
Number of keys: 12,098,370
Raw keys: Link
cryptlib
cryptlib - Heatmap

cryptlib - MSB Histogram

Software library
Tested versions: 3.4.3, 3.4.3.1
Number of keys: 6,902,094
Raw keys: Link
Feitian JavaCOS A22
Feitian JavaCOS A22 - Heatmap

Feitian JavaCOS A22 - MSB Histogram

Card
Number of keys: 300,000
Raw keys: Link
Feitian JavaCOS A40
Feitian JavaCOS A40 - Heatmap

Feitian JavaCOS A40 - MSB Histogram

Card
Number of keys: 298,568
Raw keys: Link
Gemalto GCX4 72K
Gemalto GCX4 72K - Heatmap

Gemalto GCX4 72K - MSB Histogram

Card
Number of keys: 250,000
Raw keys: Link
Libgcrypt
Libgcrypt - Heatmap

Libgcrypt - MSB Histogram

Software library
Tested versions: 1.6.0, 1.6.5, 1.7.6
Number of keys: 12,540,000
Raw keys: Link
Libgcrypt FIPS <=1.6.5
Libgcrypt FIPS <=1.6.5 - Heatmap

Libgcrypt FIPS <=1.6.5 - MSB Histogram

Software library
Tested versions: 1.6.0, 1.6.5
Number of keys: 4,840,000
Raw keys: Link
LibTomCrypt
LibTomCrypt - Heatmap

LibTomCrypt - MSB Histogram

Software library
Tested versions: 1.17
Number of keys: 2,310,000
Raw keys: Link
Nettle >=3.2
Nettle >=3.2 - Heatmap

Nettle >=3.2 - MSB Histogram

Software library
Tested versions: 3.2, 3.3
Number of keys: 6,930,000
Raw keys: Link
Oberthur Cosmo 64
Oberthur Cosmo 64 - Heatmap

Oberthur Cosmo 64 - MSB Histogram

Card
Number of keys: 121,750
Raw keys: Link
OpenSSL FIPS
OpenSSL FIPS - Heatmap

OpenSSL FIPS - MSB Histogram

Software library
Tested versions: 2.0.12, 2.0.14
Number of keys: 6,930,000
Raw keys: Link
PGP SDK 4
PGP SDK 4 - Heatmap

PGP SDK 4 - MSB Histogram

Software library
Number of keys: 3,653,208
Raw keys: Link
SafeNet Luna SA 1700 LAN
SafeNet Luna SA 1700 LAN - Heatmap

SafeNet Luna SA 1700 LAN - MSB Histogram

Software library
Number of keys: 3,180,001
Raw keys: Link
WolfSSL
WolfSSL - Heatmap

WolfSSL - MSB Histogram

Software library
Tested versions: 2.0rc1, 3.10.2, 3.9.0
Number of keys: 9,240,000
Raw keys: Link

Other sources

We have less then 100,000 keys from these sources, therefore they were not used in statistical model. We can assume, that YubiKey NEO shares the implementation with cards from group XII, Athena IDProtect is similar to sources from group XVII, and from some statistics, we assume that Libgcrypt FIPS 1.7.6 forms unique group.

Athena IDProtect
Athena IDProtect - Heatmap

Athena IDProtect - MSB Histogram

Card
Number of keys: 60,087
Raw keys: Link
YubiKey NEO

We have only public keys from this source.


YubiKey NEO - MSB Histogram

Card
Number of keys: 12,681
Raw keys: Link
Libgcrypt FIPS 1.7.6
Libgcrypt FIPS 1.7.6 - Heatmap

Libgcrypt FIPS 1.7.6 - MSB Histogram

Software library
Tested versions: 1.7.6
Number of keys: 37,019
Raw keys: Link