Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Saturday November 11 2017, @08:25PM   Printer-friendly
from the isn't-it-always dept.

Submitted via IRC for SoyCow1984

A crippling flaw affecting millions—and possibly hundreds of millions—of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents.

The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs.

[...] One of the scenarios Bernstein and Lange presented in Sunday's post is that serious attackers can further reduce costs by buying dedicated computer gear, possibly equipped with GPU, field programmable gate array, and application-specific integrated circuit chips, which are often better suited for the types of mathematical operations used in factorization attacks. The estimates provided by the original researchers were based on the cost of renting equipment, which isn't as cost-effective when factorizing large numbers of keys. They also noted that compromising just 10 percent of cards used in country-wide voting might be enough to tip an election.

Source: Flaw crippling millions of crypto keys is worse than first disclosed


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by choose another one on Monday November 13 2017, @12:02AM

    by choose another one (515) Subscriber Badge on Monday November 13 2017, @12:02AM (#596017)

    Still not sure it's relevant - it shows the certification process is crap, but that is independent of this flaw.

    In fact in this case the obscurity was never broken, the security flaw was found by analyzing generated public keys.
    It's rather hard to do SbO with public keys because the whole point is that they are public, and flawed key generation will show in the keys that are generated...

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2