Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.

Brought to you by Obama's NSA

What makes you think that any of these vulnerabilities weren't (1) already known by the various government spy associations, or (2) intentionally introduced to weaken encryption to support the endless "War on Terror"?

"The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation." Oh, you mean this Infineon that was working to produce libraries for the "NSA's Cryptographic Interoperability Strategy (CIS)" back in 2013?

Specific details

[JoshuaZ]

I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA. This has happened before with some implementations. For example, some early RSA implementations (and occasionally some ones still today made by people who have no business programming them) would chose primes in the following way: Pick a random big odd number and check if it is prime, and if so use it. If not, add 2 and check again, keep going until you have a prime. The problem with this method is that some primes end up being much more likely to be selected than others. For example, if you are picking two digit primes then the only way this way to pick 109 is if one picked 109 on the nose, but 127 becomes much more likely to be picked because if your initial number is 121,123,125 or 127 then it gets picked. It seems like some much more subtle variant of something like this is at fault.

Re:Specific details

I don't have any insider information either, but what they're describing sounds like Coppersmith's attack due to choosing small exponents.