KeyChest Blog

What would happen within one year after RSA got suddenly broken?

May 19, 2019 9:10:02 PM / by Dan

It is not so hypothetical question as ROCA attack gave as a taste of that in Autumn 2017. A lot of stuff was happening behind the scenes and I believe there are many enterprises yet to realise some important vulnerabilities (e.g., encrypted documents without proper protection).


What happened then was that affected parties were notified some 9 months before the attack publication. Interestingly, the publication date was fixed mainly because it was to be presented at a conference so companies like HP, Microsoft, Google couldn’t make authors push the date of the publication. Although they did it successfully for pre-release notification, which made life harder for companies “further down the food chain”.

Anything on that scale, assuming it was discovered by law-abiding persons/companies, the “management” of the knowledge would likely be taken over by security agencies or a wide consortium of enterprises or both.

Now, let’s assume the inventors are not happy with keeping it secret and simply publish it - everything is a pure speculation :)

  1. day 1 - authors will try to find publishing outlets and start getting visibility
  2. day 2 - first injunctions and gagging orders are issued, news spreads via social networks
  3. day 7–14 - it will be taken seriously enough for people start verifying the discovery
  4. day 14 - security patches for web browsers and applications that will extend RSA signatures with timestamps, peer-to-peer verifications, etc
  5. day 21 - corporations start realising that that the biggest problem are document stores (not transactions)
  6. day 30 - there are tools out there - closed and open-source
  7. day 90 - many applications replace RSA with peer-to-peer symmetric encryption
  8. 1–2 years on - RSA replaced with a new algorithm

Tags: security, quora, incident response


Written by Dan