It is highly likely that this is the work of a troll.<p>The RSA subkey that was factored has an invalid self-signature in hpa's public key[1], which means that it wasn't really hpa who added the subkey. Since the sks-keyserver pool doesn't verify signatures[2], anyone could have inserted that subkey. So anyone could have purposefully picked an exploitable RSA subkey, added a fake signature to it, and uploaded it to the sks-keyserver pool.<p>Luckily, GPG will drop the subkey when retrieving hpa's public key since it doesn't have a valid self-signature. But for anyone scanning all the public keys without verifying signatures (for research, etc.), this key might get recognized and cause a shitstorm. Which is exactly what has happened.<p>So far, there's no evidence that there is a conspiracy to weaken RSA keys. There is only evidence that someone inserted a bogus subkey into hpa's public key. There will be evidence of a conspiracy if we find a weak RSA key in the strongset that has a valid self-signature.<p>[1]: <a href="https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-hpa-pub-json-L490" rel="nofollow">https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...</a><p>[2]: <a href="https://lists.gnupg.org/pipermail/gnupg-devel/2015-March/029606.html" rel="nofollow">https://lists.gnupg.org/pipermail/gnupg-devel/2015-March/029...</a>
I feel like everyone is being quick to write this off as "some random, harmless error", probably because the focus is that RSA is not broken, rather than asking what this was really about.<p><i>"The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key."</i><p>I'd be curious to explore that further.<p>This kernel developer has been targeted in the past:<p><a href="http://arstechnica.com/security/2013/09/who-rooted-kernel-org-servers-two-years-ago-how-did-it-happen-and-why/" rel="nofollow">http://arstechnica.com/security/2013/09/who-rooted-kernel-or...</a><p><i>"During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers."</i><p>Edit: The key in question was created <i>the day before</i> this post by HPA regarding the compromise:<p><a href="https://lwn.net/Articles/460376/" rel="nofollow">https://lwn.net/Articles/460376/</a>
For anybody who wants to think about how such entry happened, it seems that the difference among the two presented numbers is in exactly 32 bytes (256 bits):<p><pre><code> 913ff626efddfb f8ae8f1d40da8d13 a90138686884bad1
9db776bb4812f7e3 b2
c37b8cca2eb4ac 1e889d1027bc1ed6 664f3877cd7052c6
db5567a3365cf7e2 c6
</code></pre>
starting from the 162nd byte if I counted correctly, which means the first 5 * 32+1 (or 2 * 80+1) bytes are the same, then 32 bytes differ.<p>(The "easily factorable" number has two bytes which are represented as "bad1" in hex).<p>But thinking about the 256 bits, that's exactly the size of a block on which a typical symmetrical cypher can operate, which suggests some kind of a bug, although the offset of 161 byte is a bit strange.<p>The human would probably just change a few bits to achieve the same effect, not 256, unless he wanted to encode some message, and it doesn't look so. But see also the post of lawnchair_larry here.
Or the much simpler counter, anything with a factor of three ain't a 'real' 4096 bit RSA key. Even if it was in use, it would say nothing about RSA. Referring to it as a "4096 bit RSA key" is a red herring.
Meanwhile, on the original post, the author is acting like HN was tampering with the ranking of the article because it started doing poorly after people realized that a real key wasn't factored:<p>> <i>"Update II : Amusingly enough, it seems Hacker News hand-diddled their story list to remove this discussion. Way to go Ydumbinator crew!"</i> [0]<p>[0]: <a href="http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-strongset-factored/" rel="nofollow">http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-...</a>