Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw (arstechnica.com)

Posted by msmash on from the security-woes dept.

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.

29 of 55 comments (clear)

  1. Would using Rust have helped? by Anonymous Coward · · Score: 5, Funny

    Would using the Rust programming language have helped avoid this flaw?

    1. Re:Would using Rust have helped? by Opportunist · · Score: 1

      Indirectly, by becoming a much bigger flaw. Why bother climbing over the wall if there's a hole in it?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Would using Rust have helped? by Opportunist · · Score: 1

      Hush! You know it's like with Hastur and Beetlejuice, if you say it too often he'll come!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Can we combine all slashdot articles? by sqorbit · · Score: 2

    Can we combine all these articles under just one title "Your Security is Flawed. You're Not Secure"?

    --
    Sent from my TARDIS
    1. Re:Can we combine all slashdot articles? by XXongo · · Score: 1

      Can we combine all these articles under just one title "Your Security is Flawed. You're Not Secure"?

      No. Because it actually does make a difference what is insecure, and how.

    2. Re:Can we combine all slashdot articles? by DontBeAMoran · · Score: 5, Funny

      Captain: What happen ?
      Mechanic: Somebody set up us the weak security.
      Operator: We get hacked.
      Captain: What !
      Operator: Main screen turn on.
      Captain: It’s you !!
      CATS: How are you gentlemen !!
      CATS: All your data are belong to us.
      CATS: You are on the way to sell your data to the highest bidder.
      Captain: What you say !!
      CATS: You have no chance to hide your personal info make your time.
      CATS: Ha ha ha ha
      Operator: Captain !!
      Captain: Take off every ‘TFA’!!
      Captain: You know what you doing.
      Captain: Move ‘MPA2’.
      Captain: For great protection.

      --
      #DeleteFacebook
  3. vindicated by mSparks43 · · Score: 1

    As much as i really _hate_ to say i told you so.

    But seriously, i told you so.

    Next up, curve 25519 and millions of apple fan boys crying into their caramel latte.

    1. Re:vindicated by hey! · · Score: 3, Insightful

      Next up, curve 25519 and millions of apple fan boys crying into their caramel latte.

      If that happens, it won't just be Apple fan boys who are put out.

      In any case, it doesn't take a math genius to predict something like this would happen with factorization. There was no breakthrough on the fundamental problem, only a discovery of a weak key choice algorithm. This is where nearly every exploit in the world comes from: not from advances in mathematics, but the discovery of sloppy implementations.

      The problem with software is that it is almost irresistibly considered finished when it looks right.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:vindicated by hey! · · Score: 1

      Of course we can talk in general terms, but what happened here was a weak implementation was chosen because it performed well. This was a specific design decision that could have been caught in review.

      It's only after the decision was taken and incorporated into the software that it became hard to find. In fact it made the software appear better on the easier-to-observe non-functional requirement of performance.

      If software needs to robust, you need to go looking for problems. Not every application justifies the same level of effort, but I'd say high-security crypto hardware qualifies.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    3. Re: vindicated by mSparks43 · · Score: 1

      Or just maybe.
      What we have here is yet another intentionally compromised US security product.
      Like all US security products.

      Because US law prohibits the sale by US companies of security products that are not intentionally compromised.

      Which is why it was Czech and Slovak researchers that had to find it.

    4. Re: vindicated by mSparks43 · · Score: 1

      well actually, no.
      This is just yet another instance where I am not happy to be right.

      Itâ(TM)s downright depressing.
      Once upon a time the US was a beacon of hope to the world.
      Now they are little more than a gold mine for hackers and youtube hillarity over their head of state because they abandoned any pretense of secure systems because terrorists.
      So now only terrorists and rouge states have secure systems.

      Howâ(TM)s that working out for you?

    5. Re: vindicated by hey! · · Score: 1

      Infineon is a German company.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    6. Re: vindicated by mSparks43 · · Score: 1

      chip business was bought in. International Rectifier. An American company.

    7. Re: vindicated by mSparks43 · · Score: 1

      apologies. it was intel. https://www.infineon.com/cms/e...

  4. Time for a Key Audit by Anonymous Coward · · Score: 2, Informative

    If you use a Yubikey or other smart card for key generation, revoke them and generate new keys using OpenSSL. Any system relying on TPM 1.4 is also suspect. This flaw affects keys generated using Infineon smartcards. Currently 1024 bit keys are trivially broken and 2048 bit keys are broken but could cost tens of thousands of dollars in compute to crack. 3072 and 4096 bit keys are still quite safe but if regeneration is practical then you should still do it. The attack could always improve and reach them.

    1. Re:Time for a Key Audit by Allasard · · Score: 3, Informative

      Here is Yubico's statement on what features of the Yubikey 4 are affected:
      https://www.yubico.com/2017/10...

    2. Re:Time for a Key Audit by epine · · Score: 1

      The attack could always improve and reach them.

      Since there is no known crypto where an attack can't break a reduced version, this is pretty much tautologically true everywhere and always.

      I think this actually functions as a form of tipping-point porn: when some crack finally scars the low-end of what you might actually care about, however little (e.g. 1024 bits), it's declared as having broken over the New Orleans flood control system and now the water is really coming, as if the deluge hadn't started ages ago, on a misty planet where the sun is never seen.

  5. Re:Accidental Flaw or [Agency] Back Door? by Anonymous Coward · · Score: 1

    That would be a distinction without a difference, since all accidental flaws become [Agency] back doors, since they refuse to disclose them.

    It really is a great use of taxpayer money.

  6. Brought to you by Obama's NSA by Anonymous Coward · · Score: 1, Interesting

    What makes you think that any of these vulnerabilities weren't (1) already known by the various government spy associations, or (2) intentionally introduced to weaken encryption to support the endless "War on Terror"?

    "The flaw resides in the Infineon-developed RSA Library version v1.02.013, specifically within an algorithm it implements for RSA primes generation." Oh, you mean this Infineon that was working to produce libraries for the "NSA's Cryptographic Interoperability Strategy (CIS)" back in 2013?

  7. Specific details by JoshuaZ · · Score: 5, Interesting

    I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA. This has happened before with some implementations. For example, some early RSA implementations (and occasionally some ones still today made by people who have no business programming them) would chose primes in the following way: Pick a random big odd number and check if it is prime, and if so use it. If not, add 2 and check again, keep going until you have a prime. The problem with this method is that some primes end up being much more likely to be selected than others. For example, if you are picking two digit primes then the only way this way to pick 109 is if one picked 109 on the nose, but 127 becomes much more likely to be picked because if your initial number is 121,123,125 or 127 then it gets picked. It seems like some much more subtle variant of something like this is at fault.

    1. Re:Specific details by Anonymous Coward · · Score: 2, Interesting

      I don't have any insider information either, but what they're describing sounds like Coppersmith's attack due to choosing small exponents.

    2. Re:Specific details by bill_mcgonigle · · Score: 2

      This is useful reading, even though it doesn't precisely describe the nature of the RSA key generation problem:

      https://sites.google.com/a/chr...

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Specific details by JoshuaZ · · Score: 3, Informative

      Because I can't count apparently. The logic does go through with 3 digits as our example though so just pretend I said that.

    4. Re:Specific details by ljw1004 · · Score: 2

      I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA.

      Ars Technica explains more. Says it's a fault specifically with the implementation used by Infineon to generate keys, not with other more correct ways to generate keys.

      https://arstechnica.com/inform...

  8. Wrong by Anonymous Coward · · Score: 1

    "Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations."

    Wrong TPM and Intel's ME and other AMD equivalents are NSA backdoors. We are so fast to jump on Kaspersky's backdoor issues and just assume that American controlled companies don't have the same vulnerabilities. It may be a different natuon's spook that has access, but rest assured these "secure platforms" are just built in malware.

  9. Kiki Kripke cripples keys with her coconut by epine · · Score: 1

    And, as we all know, a crippled key cannot be trusted.

    Beware crippled keys! They might not appear to limp, but they are crippled all the same.

    (Only don't say this in front of Kripkenstein, rather than his secret Japanese wife, or he might just kill you.)

  10. Re:Not to worry, MS will fix this. by Opportunist · · Score: 1

    The only thing that bothers me is that being "fixed" by MS is usually done in the veterinary sense.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:Accidental Flaw or [Agency] Back Door? by sabbede · · Score: 1

    It's one version of a German chipmaker's RSA library that has the flaw. I'd say the odds favor accident.

  12. Ironically? How? by sabbede · · Score: 1
    "the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security"

    What the hell was ironic about that?