This is something people with only basic exposure to cryptography and security are confused about a lot.
To them “breaking RSA” and “breaking something using RSA” sound essentially the same.
Systems are only as strong as their weakest part.
Nobody bothers attacking basic cryptographic primitives like AES, or RSA, or SHA-1 in practice. These are standardized, simple, have extremely straightforward interfaces, very well researched, and with enormous level of public exposure. Even theoretical weaknesses found occasionally tend to have little practical relevance.
What gets attacked is everything else. Implementations bugs, protocol corner cases, differences between assumptions and actual requirements, side channels, human factors, and very few people looking at it ever. They are highly complicated, messy, with no clear boundaries, and every system starts essentially from scratch.
When P(system is secure) = P(system is secure|AES is secure) P(AES is secure)
You want to focus all your effort on P(system is secure|AES is secure). Both protection effort, and backdooring effort.
RSA is somewhat between the two. It’s somewhat more complex, and requirements for securely using RSA are a lot more complicated than for securely using AES. The entire public key crypto is built on far weaker foundations than private key crypto. There’s very little hard number theory involved.
When you say “nobody” you mean actual attackers—obviously researchers attack these things all the time. And you do get practical breaks as a result of breaks in cryptography—WEP is the most famous example.
But WEP is a perfect example. WEP is a protocol which uses RC4 for crypto.
RC4 was a really bad proprietary cipher to use, with well known weaknesses even back then, and with key sizes providing no security margin at all. It is essentially a horrible cipher, and they could have barely chosen a worse one while even pretending they tried.
And yet, even with all such horrible decisions about RC4, the primary problem was still not in RC4. WEP didn’t even use RC4 correctly. RC4 only tries to be secure if you don’t reuse IVs, otherwise all bets are off. WEP completely ignored that. Mishandling IVs/nonces is not even anything obscure—it’s one of the basics.
WEP uses 24-bit IVs. Birthday paradox guarantees IV reuse.
Original WEP uses 40-bit key. This is already borderline broken, so any extra weakness moves us into trivially broken in seconds territory WEP occupies now.
This is something people with only basic exposure to cryptography and security are confused about a lot.
To them “breaking RSA” and “breaking something using RSA” sound essentially the same.
Systems are only as strong as their weakest part.
Nobody bothers attacking basic cryptographic primitives like AES, or RSA, or SHA-1 in practice. These are standardized, simple, have extremely straightforward interfaces, very well researched, and with enormous level of public exposure. Even theoretical weaknesses found occasionally tend to have little practical relevance.
What gets attacked is everything else. Implementations bugs, protocol corner cases, differences between assumptions and actual requirements, side channels, human factors, and very few people looking at it ever. They are highly complicated, messy, with no clear boundaries, and every system starts essentially from scratch.
When P(system is secure) = P(system is secure|AES is secure) P(AES is secure)
You want to focus all your effort on P(system is secure|AES is secure). Both protection effort, and backdooring effort.
RSA is somewhat between the two. It’s somewhat more complex, and requirements for securely using RSA are a lot more complicated than for securely using AES. The entire public key crypto is built on far weaker foundations than private key crypto. There’s very little hard number theory involved.
When you say “nobody” you mean actual attackers—obviously researchers attack these things all the time. And you do get practical breaks as a result of breaks in cryptography—WEP is the most famous example.
But WEP is a perfect example. WEP is a protocol which uses RC4 for crypto.
RC4 was a really bad proprietary cipher to use, with well known weaknesses even back then, and with key sizes providing no security margin at all. It is essentially a horrible cipher, and they could have barely chosen a worse one while even pretending they tried.
And yet, even with all such horrible decisions about RC4, the primary problem was still not in RC4. WEP didn’t even use RC4 correctly. RC4 only tries to be secure if you don’t reuse IVs, otherwise all bets are off. WEP completely ignored that. Mishandling IVs/nonces is not even anything obscure—it’s one of the basics.
What then-known weaknesses in RC4 do you have in mind?
I don’t get your meaning about key sizes, could you be more specific?
WEP does not re-use IVs.
WEP uses 24-bit IVs. Birthday paradox guarantees IV reuse.
Original WEP uses 40-bit key. This is already borderline broken, so any extra weakness moves us into trivially broken in seconds territory WEP occupies now.
RC4 weak key schedule.