Factoring 512-bit RSA Moduli for Fun (and a Profit of $9,000)

The recent FREAK attack highlighted widespread support for export-grade RSA keys in TLS servers. We present the results of an IPv4-wide survey of TLS servers performed roughly one week after FREAK was announced. We found that only 9.7% of servers now support such export-grade RSA keys. However, we also found that some keys are repeated with high frequency, making each of them an attractive target for a direct factoring attack; one key in particular was repeated 28,394 times. We also computed the pairwise gcds of all the export-grade RSA moduli that we found, leading to 90 factorisations. These moduli correspond to 294 different hosts. The computation took less than 3 minutes on an 8-core system, saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly. We consider this to be a good return on investment for a Friday afternoon’s work.