Paper 2018/299

Clusters of Re-used Keys

Stephen Farrell

Abstract

We survey the long-term cryptographic public keys, (for SSH, e-mail and HTTP protocols), on hosts that run the SMTP protocol in ten countries. We find that keys are very widely re-used across multiple IP addresses, and even autonomous systems. From one run scanning 18,268 hosts in Ireland that run at least one TLS or SSH service, approximately 53% of the hosts involved are using keys that are also seen on some other IP address. When two IP addresses share a key, then those two IP addresses are considered members of the same cluster. In the same scan we find a maximum cluster size of 1,991 hosts and a total of 1,437 clusters, mostly with relatively few hosts per cluster (median cluster size was 26.5, most common cluster size is two). In that scan, of the 54,447 host/port combinations running cryptographic protocols, we only see 20,053 unique keys (36%), indicating significant key re-use across hosts and ports. Scans in other countries demonstrate the same issue. We describe the methodology followed and the published source code and public data sources that enable researchers to replicate, validate and extend these results. Clearly, such key re-use can create undesirable security and privacy dependencies between cluster members. A range of causes for key sharing have been confirmed, including multi-homed hosts, mirroring, large-scale use of wildcard public key certificates, cloning virtual machines that already contain host keys and vendors shipping products with hard-coded or default key pairs. Discussions with local (Irish) asset-owners to better understand the reasons for key re-use and to possibly assist with improving network posture are ongoing, and we will continue to incorporate resulting findings in revisions of this article.

Note: Adds protocol version counts.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
applications key re-use surveys
Contact author(s)
stephen farrell @ cs tcd ie
History
2018-07-07: last of 8 revisions
2018-03-30: received
See all versions
Short URL
https://ia.cr/2018/299
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/299,
      author = {Stephen Farrell},
      title = {Clusters of Re-used Keys},
      howpublished = {Cryptology ePrint Archive, Paper 2018/299},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/299}},
      url = {https://eprint.iacr.org/2018/299}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.