SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
A crippling flaw affecting millions—and possibly hundreds of millions—of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents.
The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs.
[...] One of the scenarios Bernstein and Lange presented in Sunday's post is that serious attackers can further reduce costs by buying dedicated computer gear, possibly equipped with GPU, field programmable gate array, and application-specific integrated circuit chips, which are often better suited for the types of mathematical operations used in factorization attacks. The estimates provided by the original researchers were based on the cost of renting equipment, which isn't as cost-effective when factorizing large numbers of keys. They also noted that compromising just 10 percent of cards used in country-wide voting might be enough to tip an election.
Source: Flaw crippling millions of crypto keys is worse than first disclosed
(Score: 5, Interesting) by Anonymous Coward on Saturday November 11 2017, @11:16PM
This was exactly the concern put forth when Palladium/TPM were being pushed and has been a concern regarding FIPS standards certification since the 1990s. Infineon specifically has been at the forefront of those activities so claims that this exploit was accidental rather than intentional ring hollow.
This was a government mandated backdoor in a government mandated feature INTENDED to compromise the world's encryption integrity.
Having successfully done so and been detected, it is time for smaller governments like Estonia to band together and produce their own fab and get trustworthy mathmaticians helping to craft new standards (and attempt to break them) that are actually secure by design and product new chips, even if they are of significantly older and cheaper process technologies, to ensure that safe and secure communications exist in the future.
The era of the megacorps needs to end, because unless you agree with the One World Order concept, the lack of corporate diversity across the world is keeping us from ensuring technology works for us, and not for 'them' while spying on us.