On June 12, 2026, researchers from Trail of Bits, in collaboration with Hanno Böck of the badkeys project, disclosed a critical class of cryptographic vulnerabilities termed "short-sleeve" RSA keys. This issue affects RSA key pairs where the private key bits are heavily biased toward zero rather than exhibiting the expected random distribution.
This bias is not merely a theoretical flaw; it allows attackers to derive the private key from the public modulus using a novel polynomial-based cryptanalytic technique. The research team has already identified and factored hundreds of unique keys in the wild that exhibit this trait. For defenders, this is an urgent call to action: the presence of even a single weak key on a critical server can lead to total compromise of the associated service and trust chain.
Technical Analysis
The "Short-Sleeve" Vulnerability
RSA security relies entirely on the randomness of the prime numbers generated during key creation. If the entropy source is weak or the generation logic is flawed, the resulting keys may carry discernible patterns. In this instance, the affected keys show a "short-sleeve" characteristic—long sequences of 0-bits within the key structure.
Attack Vector
The attack exploits these repeating blocks of 0-bits (see Figure 1 in the source report). Because the bias is often highly structured, researchers developed a powerful polynomial method to factor the modulus significantly faster than brute-force or general number field sieve (GNFS) methods would allow for similarly sized keys. This reduces the factoring time from "universe-heat-death" timescales to mere seconds or minutes for the most severely affected keys.
Root Cause
While the specific buggy implementation varies, the issue stems from a failure in the random number generation (RNG) or key handling logic within specific cryptographic libraries or hardware modules. The "bug" found by researchers resulted in keys that are mathematically weak due to these zero-biased bit patterns. Any system using keys generated by this flawed logic is vulnerable to private key recovery, allowing attackers to decrypt traffic, forge signatures, or impersonate services.
Detection & Response
Detecting "short-sleeve" keys requires scanning your cryptographic assets for the specific structural anomalies described. Below are detection mechanisms and a remediation script to identify potentially vulnerable keys within your environment.
SIGMA Rules
The following rules detect the use of analysis tools (like the badkeys utility) or manual inspection attempts, which indicate a hunt is underway. They also detect the creation of new RSA key files, which should be scrutinized if generated by potentially flawed software.
---
title: Potential Badkeys Audit Tool Execution
id: 8d4a9b12-3c5e-4f7a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects the execution of the 'badkeys' or similar cryptographic analysis scripts often used to hunt for weak keys like 'short-sleeve' RSA variants.
references:
- https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/
author: Security Arsenal
date: 2026/06/12
tags:
- attack.discovery
- attack.t1083 # File and Directory Discovery
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- 'badkeys'
- 'rsa-analyze'
- 'short-sleeve-check'
condition: selection
falsepositives:
- Legitimate security audits by authorized personnel
level: low
---
title: Manual RSA Key Inspection Activity
id: 9e5b0c23-4d6f-5g8b-0c2d-3e4f5g6h7i8j
status: experimental
description: Detects manual inspection of RSA key moduli using OpenSSL, which may indicate a response to the 'short-sleeve' vulnerability disclosure.
references:
- https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/
author: Security Arsenal
date: 2026/06/12
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/openssl'
CommandLine|contains:
- 'rsa -in'
- 'modulus'
- '-text'
condition: selection
falsepositives:
- Administrative troubleshooting or certificate management
level: info
KQL (Microsoft Sentinel / Defender)
This query hunts for file creation events involving common RSA private key extensions. While this generates baseline data, the specific content check must be done via the remediation script.
DeviceFileEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("id_rsa", "id_dsa", "id_ecdsa", "id_ed25519", "server.key", "private.pem", "keystore.jks")
or FolderPath has "/etc/ssh"
or FolderPath has "/etc/ssl/private"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| summarize count() by DeviceName, FileName
Velociraptor VQL
Use this artifact to glob for common private key files on Linux endpoints. This allows for rapid collection of files that need to be fed into a cryptanalysis tool.
-- Hunt for common private key file types
SELECT FullPath, Size, Mtime
FROM glob(globs=[
'/etc/ssh/ssh_host_*',
'/home/*/.ssh/id_*',
'/root/.ssh/id_*',
'/etc/ssl/private/**/*.key',
'/etc/ssl/private/**/*.pem',
'/var/www/**/*.key'
])
WHERE Size < 1000000 -- Limit to reasonable key sizes
Remediation Script
This Bash script scans directories for RSA keys and checks the modulus for suspicious repeating blocks of 0-bits ("00" hex) using OpenSSL. While not a replacement for the full polynomial analysis, it acts as a fast triage tool to identify candidates for the "short-sleeve" weakness.
#!/bin/bash
# Short-Sleeve RSA Key Triage Script
# Identifies RSA keys with highly repetitive '00' blocks in the modulus.
# Author: Security Arsenal
# Date: 2026-06-12
LOG_FILE="./short_sleeve_scan.log"
KEY_DIRECTORIES=("/etc/ssh" "/etc/ssl/private" "/home/*/.ssh" "/root/.ssh" "/var/www")
echo "Starting Short-Sleeve RSA Key Scan..." > "$LOG_FILE"
for dir in "${KEY_DIRECTORIES[@]}"; do
if [ -d "$dir" ]; then
# Find common key files
find "$dir" -type f \( -name "*.key" -o -name "*.pem" -o -name "id_rsa" -o -name "ssh_host_*" \) 2>/dev/null | while read -r keyfile; do
# Check if it's an RSA key and get modulus
# We look for the string 'Modulus=' in the output
if openssl rsa -in "$keyfile" -pubout -modulus -noout 2>/dev/null | grep -q "Modulus"; then
# Extract modulus and check for suspicious repeated 00 blocks
# Example heuristic: if 00:00:00:00 appears, flag it
if openssl rsa -in "$keyfile" -pubout -modulus -noout 2>/dev/null | grep -q "00:00:00:00"; then
echo "[POTENTIAL VULNERABILITY] Short-sleeve pattern detected in: $keyfile" | tee -a "$LOG_FILE"
else
echo "[OK] No obvious bias in: $keyfile" >> "$LOG_FILE"
fi
fi
done
fi
done
echo "Scan complete. Results saved to $LOG_FILE"
Remediation
- Identify Affected Assets: Run the provided remediation script across all Linux servers, network appliances, and HSMs. Any key flagged by the script or the official
badkeystool must be treated as compromised. - Key Rotation: Immediately revoke and replace all affected RSA keys. Generate new keys using a reputable, updated cryptographic library (e.g., OpenSSL 3.4+ or Libsodium) sourced from a high-entropy RNG.
- Certificate Revocation: If the weak key was used for a public-facing certificate (TLS/SSL), revoke the certificate via the issuing Certificate Authority and re-issue with a new key pair.
- Audit Generators: Identify the software, firmware, or library that generated the weak keys. Apply patches or update to a version that ensures cryptographically secure random number generation.
- Secrets Rotation: Assume the private key was already compromised. Rotate any secrets or credentials that were protected by the compromised key pair (e.g., VPN credentials, API tokens).
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.