Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Encryption Security Digital Privacy

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed ( 76

An anonymous reader quotes a report from Ars Technica: A crippling flaw affecting millions -- and possibly hundreds of millions -- of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents. The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key. Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness.

On Sunday, researchers Daniel J. Bernstein and Tanja Lange reported they developed an attack that was 25 percent more efficient than the one created by original ROCA researchers. The new attack was solely the result of Bernstein and Lange based only on the public disclosure information from October 16, which at the time omitted specifics of the factorization attack in an attempt to increase the time hackers would need to carry out real-world attacks. After creating their more efficient attack, they submitted it to the original researchers. The release last week of the original attack may help to improve attacks further and to stoke additional improvements from other researchers as well.

This discussion has been archived. No new comments can be posted.

Flaw Crippling Millions of Crypto Keys Is Worse Than First Disclosed

Comments Filter:
  • by Anonymous Coward
  • Effected Vendors? (Score:4, Interesting)

    by Chrontius ( 654879 ) on Wednesday November 08, 2017 @12:04AM (#55511509)
    Anyone want to give me a list of whose smartcards to avoid?

    I know Yubikeys were recalled for this; if you have an effected key they'll ship you a new one for free. The old ones are fine, just so long as you don't use the internal key generator hardware EVER AGAIN. I plan on putting a red dot on mine with nail polish, and retiring them to emitting static passwords for my online games.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      "The issue weakens the strength of on-chip RSA key generation and affects some use cases for the Personal Identity Verification (PIV) smart card and OpenPGP functionality of the YubiKey 4 platform. Other functions of the YubiKey 4, including PIV Smart Cards with ECC keys, FIDO U2F, Yubico OTP, and OATH functions, are not affected. YubiKey NEO and FIDO U2F Security Key are not impacted."

      Quoted from Yubico's security advisory. I think you're over reacting if you're thinking of, "retiring them to emitting stat

      • Actually, I don't have much need for certificate-bearing smartcard emulators; on the contrary, I do need rather a lot of static-password emitting devices.
    • by Anonymous Coward

      Effected Vendors? Do you mean the vendors that are doing something about this?

      Effected key? Do you mean a key that is doing something?

      If that's what you mean, then your post makes no sense. If it's not what you mean then you're using the wrong word. Try this one instead: Affected.

    • Doesn't affect U2F, which is good because I leaned on U2F in my campaign and "the primary manufacture of X screwed it up somehow" creates annoyance. Conceptually, I designed my approach to handle this kind of thing: it's not a government-issue token, you can replace it with something else, and the whole thing is regulation-driven and should be based on NIST publications of what's latest-recommendation; politically, people like inflating flaws.

      Even if it did affect U2F, as you say, you can replace it wi

  • by Anonymous Coward on Wednesday November 08, 2017 @12:07AM (#55511519)

    Estonia has online voting using these ids. It's also been heavily cyber and social attacked by neighboring Russia. So the democracy is at risk as long as they continue to allow online voting using ids with unknown flaws:

    "Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online."

    "In one [simulated by security experts critical of the system] attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials — but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result."

    The big wake up call for them was a cyber attack by Russia in 2007:

    BTW, Trump has ignored the deadline to impose sanctions against Russia for its cyber attack, and simply hasn't implemented them.

    • by Anonymous Coward

      Russia also kicked my dog.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Count yourself lucky. The Chinese would have eaten it!

    • Why does Estonia need voter ID to ensure the integrity of its elections? That shit is a racist dog whistle. We just had a successful election in Virginia yesterday with no voter ID. How does this get modded up? (baffled)
  • by Anonymous Coward on Wednesday November 08, 2017 @06:28AM (#55512289)

    Full disclosure: I am in the academic crypto community, I have met Dan Bernstein and Tanja Lange countless times at seminars, conferences, etc. Posting as AC for obvious reasons.

    Just to put it into perspective for the readers who don't know: Dan and Tanja are longtime partners, they have most of their work done together. Tanja is cool. Dan Bernstein, however, is totally not. He is smart, but not *that* smart, not as much as he wants people to believe anyway. And that's totally fine, at the end you have to do your best to advertise yourself and sell your expertise, everybody does it, and Dan is not one of the worst ones in this respect.

    What I can't stand about this guy though is the aggressive, obsessive, and self-glorifying way he uses when discussing any possible little thing. Like, he needs to show you that he's ALWAYS right, that he's THE BEST on every possible discussion topics. You can clearly see that this poor guy was bullied hardcore as a child, and now he feels like he has to compensate his insecurities through this aggressive behavior.

    Typical thing he does, as this slashdot story shows, is taking credit for any big crypto-related breakthrough, even if it does not originally come from himself. Some researcher with less PR skills than Dan come up with a clever attack that makes it into the news? Dan comes up with a *minor* improvement on that work, downplaying the importance of the first attack, and hitting all the tech news websites with glorifying headlines. Like in the case of this slashdot story. Or like when, after Marc Steven's collision attack on SHA-1, he made some minor improvements and changed his twitter handle to @hashbreaker (that was ridiculous, and I really liked Marc's response of changing his handle to @realhashbreaker lol! Dan is indeed, in a certain sense, the academic equivalent of The Donald).

    There are many other examples of Dan's claiming expertise he dose not have and bashing other researchers on topic he's not an expert of. Just have a look at the IACR (almost unused) forum, or GoogleGroups related to lattice-based crypto, or Twitter, and much more. In any case, he'd NEVER admit he was wrong.

    I do not comment on his involvement in the Jacob Applebaum case, because I'm not really informed, and I'm not a vigilante.

    Seriously Dan, if you're reading this: take a hint! You're fine, really, you don't have to behave like this. This is not just my opinion, mind you, I have talked with many and many crypto people who think the same, and they just don't tell you because they do not want to be involved in pointless discussions with you. Can you please be nicer to people? I'm sure your career would also benefit from it.

    • by Anonymous Coward

      I got the link first through some other venue so I did read it, and he clearly states right up front what he's done, that his work was not independent, and so on. So the meat of the matter was not dishonest.

      I took it as was described, as an exercise in seeing what he could come up with given the few hints the original researchers let drop, which is quite a bit, in fact. That datum is interesting (if to me not surprising), when taken as such. The breathless headline and non-story from the "copy/paste-press"

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN