Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.

Accidental Flaw or [Agency] Back Door?

Your guess is as good as anybody's.

Re:Accidental Flaw or [Agency] Back Door?

That would be a distinction without a difference, since all accidental flaws become [Agency] back doors, since they refuse to disclose them.

It really is a great use of taxpayer money.

Re:Accidental Flaw or [Agency] Back Door?

Then allow me to restate.

Accidental Flaw or Deliberately Included Back Door?

Re:Accidental Flaw or [Agency] Back Door?

[sabbede]

It's one version of a German chipmaker's RSA library that has the flaw. I'd say the odds favor accident.

Trump Platform Module

Results
We detected insecure key
Key type     X509 certificate (PEM)
Bit length     2048
Test result     Vulnerable

My God!  We're all gonna die!

Would using Rust have helped?

Would using the Rust programming language have helped avoid this flaw?

Re:Would using Rust have helped?

No but I'm pretty sure using APPS! would have helped. Or HOSTS files.

Re:Would using Rust have helped?

[Opportunist]

Indirectly, by becoming a much bigger flaw. Why bother climbing over the wall if there's a hole in it?

Re:Would using Rust have helped?

[Opportunist]

Hush! You know it's like with Hastur and Beetlejuice, if you say it too often he'll come!

Can we combine all slashdot articles?

[sqorbit]

Can we combine all these articles under just one title "Your Security is Flawed. You're Not Secure"?

Re:Can we combine all slashdot articles?

[XXongo]

Can we combine all these articles under just one title "Your Security is Flawed. You're Not Secure"?

No. Because it actually does make a difference what is insecure, and how.

Re:Can we combine all slashdot articles?

[DontBeAMoran]

Captain: What happen ?
Mechanic: Somebody set up us the weak security.
Operator: We get hacked.
Captain: What !
Operator: Main screen turn on.
Captain: It’s you !!
CATS: How are you gentlemen !!
CATS: All your data are belong to us.
CATS: You are on the way to sell your data to the highest bidder.
Captain: What you say !!
CATS: You have no chance to hide your personal info make your time.
CATS: Ha ha ha ha
Operator: Captain !!
Captain: Take off every ‘TFA’!!
Captain: You know what you doing.
Captain: Move ‘MPA2’.
Captain: For great protection.

vindicated

[mSparks43]

As much as i really _hate_ to say i told you so.

But seriously, i told you so.

Next up, curve 25519 and millions of apple fan boys crying into their caramel latte.

Re:vindicated

You don't hate saying "I told you so," you LOVE saying it, and do so at every single opportunity!

And you pretend to hate it every time, too.

There are many words in the English language for people like you, none of which are very polite.

Re: vindicated

Curve25519 ftw!

Re:vindicated

[hey!]

Next up, curve 25519 and millions of apple fan boys crying into their caramel latte.

If that happens, it won't just be Apple fan boys who are put out.

In any case, it doesn't take a math genius to predict something like this would happen with factorization. There was no breakthrough on the fundamental problem, only a discovery of a weak key choice algorithm. This is where nearly every exploit in the world comes from: not from advances in mathematics, but the discovery of sloppy implementations.

The problem with software is that it is almost irresistibly considered finished when it looks right.

Re:vindicated

I think that "correct" is both a very polite and highly apt word to use to describe mSparks43.

Re:vindicated

You're right there but I rather feel that software is considered finished at two points: when it's released and then when it's been replaced with something that's demonstrably less broken.

"Undocumented features" are built in to all software ever written. You only truly know when something is unsuitable when someone shows it to be so. Of course there are times when poor coding is observable and avoidable but there are times when it's not too. I think it's possible to follow all good standards, implement an algorithm to the best of anyone's current ability and still, somewhere down the line, have it show a weakness or flaw that even with the best intentions and highest quality standards has slipped through the QC.

There is no perfect implementation; just implementations that appear sufficient and have tested to be so... up until it's not.

Re:vindicated

[hey!]

Of course we can talk in general terms, but what happened here was a weak implementation was chosen because it performed well. This was a specific design decision that could have been caught in review.

It's only after the decision was taken and incorporated into the software that it became hard to find. In fact it made the software appear better on the easier-to-observe non-functional requirement of performance.

If software needs to robust, you need to go looking for problems. Not every application justifies the same level of effort, but I'd say high-security crypto hardware qualifies.

Re: vindicated

[mSparks43]

Or just maybe.
What we have here is yet another intentionally compromised US security product.
Like all US security products.

Because US law prohibits the sale by US companies of security products that are not intentionally compromised.

Which is why it was Czech and Slovak researchers that had to find it.

Re: vindicated

[mSparks43]

well actually, no.
This is just yet another instance where I am not happy to be right.

Itâ(TM)s downright depressing.
Once upon a time the US was a beacon of hope to the world.
Now they are little more than a gold mine for hackers and youtube hillarity over their head of state because they abandoned any pretense of secure systems because terrorists.
So now only terrorists and rouge states have secure systems.

Howâ(TM)s that working out for you?

Re: vindicated

[hey!]

Infineon is a German company.

Re: vindicated

[mSparks43]

chip business was bought in. International Rectifier. An American company.

Re: vindicated

[mSparks43]

apologies. it was intel. https://www.infineon.com/cms/e...

Time for a Key Audit

If you use a Yubikey or other smart card for key generation, revoke them and generate new keys using OpenSSL. Any system relying on TPM 1.4 is also suspect. This flaw affects keys generated using Infineon smartcards. Currently 1024 bit keys are trivially broken and 2048 bit keys are broken but could cost tens of thousands of dollars in compute to crack. 3072 and 4096 bit keys are still quite safe but if regeneration is practical then you should still do it. The attack could always improve and reach them.

Re:Time for a Key Audit

[Allasard]

Here is Yubico's statement on what features of the Yubikey 4 are affected:
https://www.yubico.com/2017/10...

Re:Time for a Key Audit

[epine]

The attack could always improve and reach them.

Since there is no known crypto where an attack can't break a reduced version, this is pretty much tautologically true everywhere and always.

I think this actually functions as a form of tipping-point porn: when some crack finally scars the low-end of what you might actually care about, however little (e.g. 1024 bits), it's declared as having broken over the New Orleans flood control system and now the water is really coming, as if the deluge hadn't started ages ago, on a misty planet where the sun is never seen.

Brought to you by Obama's NSA

What makes you think that any of these vulnerabilities weren't (1) already known by the various government spy associations, or (2) intentionally introduced to weaken encryption to support the endless "War on Terror"?

"The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation." Oh, you mean this Infineon that was working to produce libraries for the "NSA's Cryptographic Interoperability Strategy (CIS)" back in 2013?

Re:Brought to you by Obama's NSA

Brought to you by Obama's NSA

These are the things that are used by the media industry to enforce DRM, can be used to hide malware from prying processes via curtained memory, prevent you from being able to decrypt your own data with no recourse, verify secure boot / other code signatures, the key cannot be seen nor changed by the owner, and said key may be held in escrow because it's installed at the factory and therefore the manufacturer can choose (or be forced by others) to keep copies of said keys unbeknownst to the owner.

This doesn't require a government agency to exploit, TPMs are designed from the ground up to be insecure and a threat to the device owner / end user.

As for the Smartcards, those have similar problems. The key is embeeded at manufacture, or generated on chip, but it can never be examined or replaced by the owner. The owner must "trust" that the chip's algorithm is not backdoored, and implemented correctly. There are memory type cards out there that are just storage devices, which would be far better to store a self-made key on, but most of the drivers available don't support them under anything but Windows, rendering them useless for many purposes, and far from a universal solution. (You'd be better off carrying around a thumb drive.)

None of this crap is designed to be "secure" for the device owner / end user. They are designed to be secure for those who manufacture them.

Specific details

[JoshuaZ]

I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA. This has happened before with some implementations. For example, some early RSA implementations (and occasionally some ones still today made by people who have no business programming them) would chose primes in the following way: Pick a random big odd number and check if it is prime, and if so use it. If not, add 2 and check again, keep going until you have a prime. The problem with this method is that some primes end up being much more likely to be selected than others. For example, if you are picking two digit primes then the only way this way to pick 109 is if one picked 109 on the nose, but 127 becomes much more likely to be picked because if your initial number is 121,123,125 or 127 then it gets picked. It seems like some much more subtle variant of something like this is at fault.

Re:Specific details

For example, if you are picking two digit primes then the only way this way to pick 109 is if one picked 109 on the nose, but 127 becomes much more likely to be picked because if your initial number is 121,123,125 or 127 then it gets picked.

Correct me if I am wrong, but if you are picking 2 digit numbers, why would you ever pick 109, or any of the others you mentioned?

Re:Specific details

I don't have any insider information either, but what they're describing sounds like Coppersmith's attack due to choosing small exponents.

Re:Specific details

Think two hex digits.

Re:Specific details

[bill_mcgonigle]

This is useful reading, even though it doesn't precisely describe the nature of the RSA key generation problem:

https://sites.google.com/a/chr...

Re:Specific details

[JoshuaZ]

Because I can't count apparently. The logic does go through with 3 digits as our example though so just pretend I said that.

Re:Specific details

Or you prepend a 1 to ensure your prime is big enough.

Re:Specific details

(Same AC.) Doh, I failed to read all the words. They literally called their new attack ROCA, "Return Of Coppersmith's Attack". From reading their weak key detector, it looks like they have found a set of weak exponents, or a set of weak keys per exponent for a number of exponents, depending on how you look at it.

Re:Specific details

[ljw1004]

I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA.

Ars Technica explains more. Says it's a fault specifically with the implementation used by Infineon to generate keys, not with other more correct ways to generate keys.

https://arstechnica.com/inform...

Re:Specific details

From the article, it says it's a coppersmith attack. So yes, the attack is possible only because of poorly chosen p's and q's.
Looks like the library these cards are using did not run the requisite tests, and some of them produced insecure numbers.

Not to worry, MS will fix this.

They quickly fixed the WPA flaw, so they will fix this as well. They just get things done!

Re:Not to worry, MS will fix this.

[Opportunist]

The only thing that bothers me is that being "fixed" by MS is usually done in the veterinary sense.

Nope.

It's HACKERS HACKERS HACKERS.

The details don't matter.

All vulnerable

DNS Name=*.toptenreviews.com
DNS Name=*.dignifyed.com
DNS Name=*.laptopmag.com
DNS Name=*.tomshardware.fr
DNS Name=*.newsarama.com
DNS Name=*.tomsguide.com
DNS Name=*.tomshardware.de
DNS Name=*.space.com
DNS Name=*.buyerzone.com
DNS Name=*.shopsavvy.com
DNS Name=*.business.com
DNS Name=*.tomsguide.fr
DNS Name=*.businessnewsdaily.com
DNS Name=*.livescience.com
DNS Name=*.activejunky.com
DNS Name=*.anandtech.com
DNS Name=*.tomshardware.com
DNS Name=*.tomsitpro.com
DNS Name=*.tomshardware.co.uk

Wrong

"Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations."

Wrong TPM and Intel's ME and other AMD equivalents are NSA backdoors. We are so fast to jump on Kaspersky's backdoor issues and just assume that American controlled companies don't have the same vulnerabilities. It may be a different natuon's spook that has access, but rest assured these "secure platforms" are just built in malware.

Kiki Kripke cripples keys with her coconut

[epine]

And, as we all know, a crippled key cannot be trusted.

Beware crippled keys! They might not appear to limp, but they are crippled all the same.

(Only don't say this in front of Kripkenstein, rather than his secret Japanese wife, or he might just kill you.)

Hosts files protect vs. Win8-10 dnsapi.dll bug

See subject (Win7 = unaffected) https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/

* I use hosts files combined w/ OpenDNS (patched vs. kaminsky redirect poisoning) vs. UNPATCHED remote DNS (99++% != patched)

I turn the service for it off (too small of a buffer to contain LARGE hosts files creating CPU overuse) & use this to UP priority of hosts over local dns clientside SLOWER USERMODE dnsapi.dll + over remote unpatched DNS servers:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"DnsPriority"=dword:00000006
"HostsPriority"=dword:00000005
"LocalPriority"=dword:00000007
"NetbtPriority"=dword:00000008

(LOWER = MORE PRIORITY)

APK

P.S.=> APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

How about local dnscache usermode service?

Was the local dnscache SLOW usermode service (dnsapi.dll) patched? Not to worry & how/why IF not https://it.slashdot.org/comments.pl?sid=11242545&cid=55379275/ I have a solution that works for more speed, security, reliability & anonymity there in that link.

APK

P.S.=> "Pats self on back"... apk

Re:Hosts files protect vs. Win8-10 dnsapi.dll bug

Linux version please...

Ironically? How?

[sabbede]

"the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security"

What the hell was ironic about that?

Always a pleasure seeing you "RUN, Forrest"

See subject & a fair challenge from me to you to show you've done better (& you did a "Run, Forrest: RUN!!!") https://science.slashdot.org/comments.pl?sid=9818817&cid=53162837/ as you have ZERO to show for yourself obviously!

* Well, "surprise, surprise" - you were trolling me or talking behind my back there too just as you are now (to your public dismay)...

APK

P.S.=> Shouldn't do that "Opportunist" (another ARSTECHNICA underachiever who trolls by FAKE NAMES for your FAKE LIE OF A LIFE) - it always backfires on you (not that you care - you're used to life backfiring on you as are all "your kind", lol)... apk

That's a "mixed bag" from me & why... apk

I could fairly easily port it to Linux (as the latest Delphi will do Linux again as it used to in Kylix) but I am not in the habit of helping "the competition"... lol!

* Only things to port (that aren't ready) would be drive letters vs. mounted devices (easy), WinSocket2 vs. std. *NIX sockets (already doable), & that's really about it...

APK

P.S.=> Don't get me wrong though - I actually LIKE & have used Linux (for years @ a time over Windows, longest was 2010 & it was pretty good, far cry from 1st time I tried it when it wouldn't do "X" w/ the vidcard I had then, Diamond Stealth 24 iirc - that was Slackware 1.02 iirc, in 1994) - but I am a Windows fan & made my career off of it - Linux's BIGGEST SHORTCOMING is applications vs. Windows & yes, I am helping to keep it that way (you can do shell scripts, takes about 14++ *NIX commands to do what my program does in Windows in 1 package in GUI though (you'd be stuck in shellscripts))... apk