On September 19, in a conference room at the Pelican Hill Resort in Newport Beach, California, Crown Sterling CEO Robert Grant, COO Joseph Hopkins, and two programmers demonstrated what Grant said was a cryptography-cracking algorithm. Before an audience that a Sterling Crown spokesman described as “approximately 100 college students and business professionals,” Grant and Hopkins had their minions generate two pairs of 256-digit encryption keys. bit RSA and then get the prime numbers used to generate them from the public key in about 50 seconds.
In a phone interview with Ars Technica today, Grant said the video was taken during a “commercial session” at the event. The “academic” presentation, which goes into the math behind his claims and a new book that has been published, was attended by “mostly people from area colleges,” Hopkins said. Grant said he did not know who attended both sessions, and the CEO added that he did not have access to the invitation list.
During the presentation, Grant invited Chris Novak, global director of Verizon Enterprise Solutions’ Threat Research Advisory Center, to name him as a member of Crown Sterling’s advisory board. There was an outcry during Grant’s controversial comments about the investigation of the company’s information security officials. The study found that only 3% had an understanding of the basic math behind encryption.
The video of the show is Here. (The video was briefly marked as private, but it’s back up again.)
The demo is from a MacBook Pro, but it appears to be running in part through a secure shell session to a server. Grant says the function can be used to “calculate” a 512-bit RSA key in “as little as five hours” using what Grant describes as “standard math.”
The revelation only casts more doubt about Grant’s work and about the main role of Crown Sterling—an encryption product called Time AI that Grant says will use the time signature of AI-generated music to generate “quantum” keys. -entangled”. Grant’s efforts to show how weak RSA’s long-standing features were met with what could be described as scorn by a number of cryptography and security experts.
Mark Carney, a PhD candidate at the University of Leeds, used it Msieve, a well-established format, on your laptop. Carney cracked numbers many times larger than RSA keys into primers in about 20 seconds. “These (are) it’s not 256-bit keys are just bigger than 256-bit numbers,” he explained, but “these in using standard quadratic sieve methods. Since I haven’t messed with this preliminary test too much, this is an underestimation of Msieve running the Crown Sterling algorithm by roughly 50 percent.
Henryk Plötz, a computer scientist in Berlin, conducted his own experiment, with similar results:
Well, this is Sagemath on my Ultrabook (X1 Carbon 2017).
I think the default implementation is single-threaded. So, “50 seconds” is really expected performance on a 4-core laptop. pic.twitter.com/2WlvZaR0vk
– Henryk Plötz (@henrykploetz) September 20, 2019
So is security researcher Rob Graham of Errata Security.
Magicians who see half-assed women on stage are more convincing than a laptop generating 256-bit RSA keys in a hotel room.
— Rob Graham (@ErrataRob) September 20, 2019
Pressed on the issue of the work by Ars, Grant said that the presentation was only to show the weakness of the RSA algorithm. Grant emphasized that weak RSA keys are still widely used. “Some banks still use DES encryption,” he said, referring to the Digital Encryption Standard—a 56 bit encryption technology developed by IBM in the 1970s that is still the standard. that the government has approved for the last programs until 2003. Therefore, Grant emphasized, the demonstrations are still valid.
Ars shared the video with Jake Williams, founder of Rendition Infosec and former member of the National Security Access Services Association. “I was saddened to see that,” Williams said. “Bragging that you can generate a 256 bit RSA key in 2019 is like bragging about hacking an unencrypted Windows 2000 box. Sure you can, but no one should care.” A 256-bit key, Williams said, is “very small.” (Digital certificates from known certificate authorities have used RSA 2048-bit keys for more than seven years.)
Williams publicly challenged Crown Sterling last month to a third-party assessment of their crypto-breaking capabilities:
The presentation must be managed by a third party of my choice, who will generate RSA keys at the end of the 2019 industry conference for sensitive data protection (2048). Data will be encrypted and Crown Sterling will have a public key (as is the norm in the wild). 2/
— Jake Williams (@MalwareJake) August 29, 20191
Nicholas Weaver, lecturer at the University of California Berkeley Department of Electrical Engineering and Computer Sciences, responded to Grant’s latest revelation with this statement to Ars:
It is already an open question whether Mr. Grant is a fraud or just a fraud. Your latest press release now makes me convinced that it is a deliberate fraud.
You get a lot of feedback from photographers, both polite and rude, so showing this level of continued ignorance is loved at this point. Your video starts with a ridiculous false assumption that is all there is to public key. He then emphasized that breaking a 256 bit RSA key or even a 512b key is somehow revolutionary. It’s not. Professor (Nadia) Heninger at UCSD, as part of her work on the FREAK attack, showed that generating a 512 bit key was easily done with less than $100 of computing time in 2015.
His further suggestion that breaking the 512-bit limit to RSA is also ridiculous on its face. Modern RSA is usually 2048 or higher, and there is a near-increase in the processing difficulty with the number of dimensions.
At this point I have to conclude that it is an outright fraud, and that the most likely explanation is to raise investment from unscrupulous investors. And now I wonder how many other companies that have started are fraudulent as well.
In a blog post earlier this monthSecurity experts and Harvard Kennedy School coach Bruce Schneier explained, “Crown Sterling is over and he spits out snake oil.” Grant laughed at the statement, telling Ars that he had ordered a bottle of Pride of Strathspey Scotch whiskey with the traditional “oil snake” logo.