On Wed, Oct 23, 2024 at 02:03:45AM +0000, Peter Gutmann wrote: > Matt Palmer <[email protected]> writes: > >There's roughly 2M keys in the pwnedkeys dataset at present. Splitting by > >type can *kinda* be done, insofar as I keep track of whether the format of > >the key I found was PKCS1, PKCS8, OpenSSH, PuTTY, etc, but that's not > >definitive, since OpenSSH reads other formats of key, and they're all just > >big numbers anyway, at the end of the day. > > Switching hats to the one that looks a lot like Sherlock Holmes' deerstalker, > it'd be really interesting to see stats for this since I had no idea there > were that many compromised keys out there.
It's really pretty wild, isn't it? And I'm not even plumbing many sources of keys -- there are a bunch of places I've wanted to go looking for keys for years, but lack of time and other resources have meant those dreams have gone as-yet unfulfilled. There's also tens of thousands of encrypted keys, many of which are trivially crackable, which I was chipping away at a few years ago when I had the support of my then-primary client to throw some hardware at the problem. (Anyone with a spare OpenCL rig they'd be happy to donate, please get in touch!) > I think this would be quite interesting to security researchers > depending on how much data you've got on the keys, breadown by key > types, arrival rate (is it a steady trickle from leaks or does it come > in bursts due to large-scale compromises), etc. Well, I don't know if it's actually all that interesting to security researchers, since I've never had anyone ask in the six years I've been running Pwnedkeys. But yes, I've got records of every time I find a key, including algorithm, bits/curve (as appropriate), when it was found, where it was found, how it was found, what format it was in, key passphrase (for cracked keys), and anything else that seemed potentially useful when I built it. > Heck, just anything to help us understand key leaks/compromises a bit > more, until now I didn't even know how bad it was. Maybe as a first step I just need to put a big "1,994,495[*] COMPROMISED KEYS FOUND" on the Pwnedkeys frontpage... I've got a whole load of research ideas floating around, but not the time to pursue them. For example, I had an experiment design for a measurement of the real-world effectiveness of revocation, but couldn't justify the time commitment to do the work relative to other (money-making) work. I don't suppose you've got a spare part-time research fellowship in your back pocket? - Matt [*] Taken from `SELECT COUNT(*) FROM pwnedkeys` as of the time of writing the above paragraph. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/73259665-1751-4b37-951e-438c27e0dda4%40mtasv.net.
