Slashdot Mirror
Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.
On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.
On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.
List please? Or is this going to be another one of those things?
https://www.xkcd.com/538/
Anyone want to give me a list of whose smartcards to avoid?
I know Yubikeys were recalled for this; if you have an effected key they'll ship you a new one for free. The old ones are fine, just so long as you don't use the internal key generator hardware EVER AGAIN. I plan on putting a red dot on mine with nail polish, and retiring them to emitting static passwords for my online games.
List please? Or is this going to be another one of those things?
Well, according to the authors' preprint version of the actual paper, there's quite a few software implementations of RSA-based encryption that are vulnerable - PGP among them.
If you'd prefer the authors' summary version, you'll find it here.
Check out my novel.
Estonia has online voting using these ids. It's also been heavily cyber and social attacked by neighboring Russia. So the democracy is at risk as long as they continue to allow online voting using ids with unknown flaws:
https://estoniaevoting.org/press-release/
"Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online."
"In one [simulated by security experts critical of the system] attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials — but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result."
The big wake up call for them was a cyber attack by Russia in 2007:
https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia
BTW, Trump has ignored the deadline to impose sanctions against Russia for its cyber attack, and simply hasn't implemented them.
That's not what I'm asking. I want a list of vendors to see who I might be using, but we always get the runaround on this.
What you can do is submit your public key to an online checker, like https://keytester.cryptosense.... and see if it's vulnerable.
John
HA! Neat trick!
now's a bad time to renounce my US citizenship and emmigrate to Estonia? Just want to be clear on this.
Estonia has online voting using these ids. It's also been heavily cyber and social attacked by neighboring Russia. So the democracy is at risk as long as they continue to allow online voting using ids with unknown flaws:
estoniavoting link
"Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online."
"In one [simulated by security experts critical of the system] attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials — but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result."
The big wake up call for them was a cyber attack by Russia in 2007:
(wiki link)
BTW, Trump has ignored the deadline to impose sanctions against Russia for its cyber attack, and simply hasn't implemented them.
Post corected by:
-=Beau=-
HAHAHA
Which probably means ALL OF THEM.
Only models with a non-FIPS PRNG/cipher configs MIGHT be safe, although they still need to go through rigorous testing and their entropy failures may be different than the FIPS exploits.
The Clipper Chip concept is alive and well, eh?
Online voting in Estonia is inherently more secure than paper ballots, which are much easier to manipulate.
Furthermore, this form of voting is a lot unlike this black-box electronic voting sham in the U.S., which has outdated and vulnerable machines with old operating systems spread around far and wide. In many respects, Estonia has electronic voting done right.
From my understanding, the error was made by a hardware vendor who makes an encryption chip, and is present in the specialized library used with their chip. It can be loaded from software, but it's not what I'd call a "software implementation", the software is just an interface to this one vendor's hardware chip.
The list of products using this hardware chip is quite long, and I haven't seen a comprehensive list published. We can say that it's hardware-based systems, smartcards and the like, that are affected.
Of course it's also possible that developers of some pure software systems independently made the same error, separately from the reported flaw.
4M+ illegal voters on 11/8/16.
(In a very tired voice)
Evidence, please?
If you don't, you will pay for compromised security. Literally.
Nobody can believe this was an accident. Weaken the cryptography just enough that someone who is in the know can break it with some effort?
As much as I welcome Estonia's leading role in the development of democratic governance, your claim is unfortunately very, very untrue. We know that it's possible to store persistent viruses in the firmware of hard drives, let alone the possible exploits of UEFI, and the Intel ME and AMD PSP. Online voting systems are much easier to tamper on a massive scale than paper ballots, because of a lack of reliable endpoint security. All PCs are insecure, whether used with card readers or not.
All PCs are insecure, whether used with card readers or not.
That's why in Estonia you can double-check via a physically independent channel (smartphone app) that your vote reached the server correctly. Worked fine for me at the recent elections.
Full disclosure: I am in the academic crypto community, I have met Dan Bernstein and Tanja Lange countless times at seminars, conferences, etc. Posting as AC for obvious reasons.
Just to put it into perspective for the readers who don't know: Dan and Tanja are longtime partners, they have most of their work done together. Tanja is cool. Dan Bernstein, however, is totally not. He is smart, but not *that* smart, not as much as he wants people to believe anyway. And that's totally fine, at the end you have to do your best to advertise yourself and sell your expertise, everybody does it, and Dan is not one of the worst ones in this respect.
What I can't stand about this guy though is the aggressive, obsessive, and self-glorifying way he uses when discussing any possible little thing. Like, he needs to show you that he's ALWAYS right, that he's THE BEST on every possible discussion topics. You can clearly see that this poor guy was bullied hardcore as a child, and now he feels like he has to compensate his insecurities through this aggressive behavior.
Typical thing he does, as this slashdot story shows, is taking credit for any big crypto-related breakthrough, even if it does not originally come from himself. Some researcher with less PR skills than Dan come up with a clever attack that makes it into the news? Dan comes up with a *minor* improvement on that work, downplaying the importance of the first attack, and hitting all the tech news websites with glorifying headlines. Like in the case of this slashdot story. Or like when, after Marc Steven's collision attack on SHA-1, he made some minor improvements and changed his twitter handle to @hashbreaker (that was ridiculous, and I really liked Marc's response of changing his handle to @realhashbreaker lol! Dan is indeed, in a certain sense, the academic equivalent of The Donald).
There are many other examples of Dan's claiming expertise he dose not have and bashing other researchers on topic he's not an expert of. Just have a look at the IACR (almost unused) forum, or GoogleGroups related to lattice-based crypto, or Twitter, and much more. In any case, he'd NEVER admit he was wrong.
I do not comment on his involvement in the Jacob Applebaum case, because I'm not really informed, and I'm not a vigilante.
Seriously Dan, if you're reading this: take a hint! You're fine, really, you don't have to behave like this. This is not just my opinion, mind you, I have talked with many and many crypto people who think the same, and they just don't tell you because they do not want to be involved in pointless discussions with you. Can you please be nicer to people? I'm sure your career would also benefit from it.
Online voting in Estonia is inherently more secure than paper ballots, which are much easier to manipulate.
...
WUT?!?!?
"It's not the people who vote that count, it's the people who count the votes." - Josef Stalin
Get control of the counting software and you control the country, with no evidence to the contrary.
At least with paper ballots, the ballots themselves exist.
So they need to hack the app/the server talking with the app in addition.
Seriously, that's all it takes to convince you?
How would you even know if the server added the votes up correctly? Doesn't even have to be malicious.
Not to mention that the idea of checking one single vote in itself is ludicrous. What's the point of your vote being counted correctly if the remaining 99.99999% aren't? Even if he system was working and secure (and it almost certainly isn't) you'd need maybe 80% to actually do the checking for it to really be effective. And what if you have a group that secretly decides to claim their vote was miscounted? Do you just ignore any such claims (then what's the point?). Or do you intend to let any minority invalidate the election whenever they feel like it?
With paper voting, the votes are counted locally, under the eyes of anyone interested. They take notes of the results. These local results, and the results on level higher etc. are then printed in the paper. As long as you assume that the local results are checked well enough by the local people in charge you can verify the whole thing. Checking your single vote is utterly useless. The step from personally identifiable votes (which must be kept secret and thus cannot be allowed to be verified by the general public) to a reasonable aggregate (that can be published and thus secures the processing from there on up by making it publicly verifiable) is what needs to be protected, and with systems that we understand how to secure. Anything involving the word "smartphone" doesn't even qualify. If someone claims irregularities, it's either in the counting and can be addressed right there, or the claim is about the very simple step from getting the tally results from a paper there to the newspapers/main office somewhere else and is easy enough to verify as right or wrong.
Does this mean DIY free topups hacks for public transport cards, Tollway Transponder, BluRays, CableTV and more is up for grabs. Mexico cartels will be so thankful for the USA passport smartchip - now they have more options.
More stuff hat hotspot WiFi locations, people using old Ipads and the like. WooHoo.
I bet Skype is not in a hurry to fix any weaknesses,
But at least we know that Bitcoin software is not vulnerable to such errors
I got the link first through some other venue so I did read it, and he clearly states right up front what he's done, that his work was not independent, and so on. So the meat of the matter was not dishonest.
I took it as was described, as an exercise in seeing what he could come up with given the few hints the original researchers let drop, which is quite a bit, in fact. That datum is interesting (if to me not surprising), when taken as such. The breathless headline and non-story from the "copy/paste-press" (that I didn't read) notwithstanding. And yeah, I'm ignoring the tweeter shenanigans and whatnots, too.
I'm willing to ignore the shenanigans as long as he sticks to cryptography. Haven't forgiven him for qmail, djbdns, and especially not daemontools. And let's be honest here: Most of the "security" headlines are full of self-glorifying bullshitting; he manages to come up with well-argued substance moreso than the rest of the bunch, including the big name corps. Which is not to say he couldn't do better. Something to try next time, eh.
All PCs are insecure, whether used with card readers or not.
That's why in Estonia you can double-check via a physically independent channel (smartphone app) that your vote reached the server correctly. Worked fine for me at the recent elections.
Only for very loose definitions of "worked fine".
You really trust the system that counted your vote to tell you if it's lying?
It's no surprise. Dilbert's company has been farming work out to that country for years with poor results.
If the servers get compromised then it's game over. That's the same with paper ballots, if the central office is corrupt then there is no trust in the results. It is true that there needs to be some trust in the state officials; electronic voting would probably not work in some other countries where 146% voter turnout or 99% single party wins are common. But that's not the problem with paper or technology, it's the problem with the state.
For detecting that there is something fishy happening you don't need 80% coverage. Even a handful of mismatches would create a huge media storm (assuming free press) and a detailed investigation would be started. The same would happen if the election results would not resemble any pre-election predictions or polls.
Paper ballots regularly get miscounted, intentionally or unintentionally. In totalitarian countries it's also easy to fake the paper ballots, any reports would be just ignored or silenced (see e.g. http://www.nytimes.com/2012/03... ). But this would require silenced press.
Estonia is currently at the 12-th place in the press freedom index (out of 180), which is a very different situation from e.g. Russia (place 148) or even US (place 46). What works in one country may not work in another.
hacker uses a bot net not to ddos you but break keys
think 1000 bots as pcs of 1000 times less time.....think about the nsa with 1 million or 10 million less time
And he world is _flat_, damnit!
Interesting. The story states that PGP may be vulnerable, but when I put my (known good) public gpg key into the crypto sense tester it says "Sorry, this doesn't look like a valid or supported key".
So it would seem either the story is incorrect in claiming PGP keys are vulnerable, or else the tester is badly written.
#DeleteChrome
I wonder how long it's going to be until the U.S. Government or world bank, or IMF, or United Nations or Federal Reserve, etc. offer their own "solution".
Russian bot?
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
is the root cause of this.
The widely used implementation's prime picker picked from a subset of primes governed by a cleverly crafted equation.
p = k*M + (65537**a mod M), where M is known, special, and sized so that a and k are about 100 bits.
Allowed the conversion of a 512 RSA key from 256 bits of entropy to 99 bits.
And worse, the converted entropy did not increase as expected with the key size.
It almost appears optimized for easy opening of the popular key sizes of 512, 1k, 2k, 4k.
One with a tin foil hat would wonder how such a 'feature' could get into something so important.
Also, what 'features' are in other PKI's?
Ya, right. Our local Estonian Reformierakond used the ID card to cheat in elections. ...
No way a 90 or 103 year old people in "old peoples homes" can vote online in 30 seconds as the "official logs" show
No way a 90 or 103 year old people in "old peoples homes" can vote online in 30 seconds as the "official logs" show
That's an issue not with the Reform party, but with the managers of those old people's homes. And the managers of these homes are usually Soviet people (lat. homo sovieticus)
By the way, if a 93-year-old lady can drive a Tesla car, then 90-year-old people can vote online, too. So long their minds are sharp, and as long as their PIN codes are not in anyone's wrong hands.
The reason that online voting in Estona is more secure, is that votes actually cannot be manipulated by anyone, which is one of the things about i-voting that really ticks off the pro-Russia Center party.
At least with paper ballots, the ballots themselves exist.
Do they?