Submitted via IRC for SoyCow1984
A crippling flaw affecting millions—and possibly hundreds of millions—of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents.
The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs.
[...] One of the scenarios Bernstein and Lange presented in Sunday's post is that serious attackers can further reduce costs by buying dedicated computer gear, possibly equipped with GPU, field programmable gate array, and application-specific integrated circuit chips, which are often better suited for the types of mathematical operations used in factorization attacks. The estimates provided by the original researchers were based on the cost of renting equipment, which isn't as cost-effective when factorizing large numbers of keys. They also noted that compromising just 10 percent of cards used in country-wide voting might be enough to tip an election.
Source: Flaw crippling millions of crypto keys is worse than first disclosed
(Score: 0, Troll) by Ethanol-fueled on Saturday November 11 2017, @09:22PM (9 children)
Why did Soylentnews reject my submission? [soylentnews.org] I'm being oppressed! I am a victim of Soylentnews' oppressionhood! White Privilege!
(Score: 2, Informative) by Anonymous Coward on Saturday November 11 2017, @09:36PM (2 children)
Get fukt and put it in your journal, asswipe
~ takyon eating ramen and about to watch thor ragnarok
(Score: 0) by Anonymous Coward on Saturday November 11 2017, @09:39PM (1 child)
Unauthorized User! Access Denied!
(Score: 2) by unauthorized on Sunday November 12 2017, @12:54AM
Aww damn, I really wanted to access that!
(Score: 2, Informative) by Anonymous Coward on Saturday November 11 2017, @09:37PM
I guess we just discovered who "maroon" was named after. Fitting it us a darker color.
Say, don't you claim Latino heritage? Much oppression fake news!!
(Score: 1, Troll) by RamiK on Saturday November 11 2017, @10:04PM (3 children)
Clearly, the cabal of the Gayniggers from Outer Space and the Asian Israelite Trekkies are covering up their plot to kill all white women and make sex-slaves of all Christian white men.
To arms!
compiling...
(Score: 0) by Anonymous Coward on Saturday November 11 2017, @10:58PM (1 child)
And kill all the white men?
Are you *SURE*?
(Score: 1, Informative) by Anonymous Coward on Saturday November 11 2017, @11:04PM
https://en.wikipedia.org/wiki/Gayniggers_from_Outer_Space [wikipedia.org]
(Score: 1, Funny) by Anonymous Coward on Saturday November 11 2017, @11:42PM
uh hey can I have a few of these extra white women? if you want to keep my stamina up, i need some other source material. i mean how can we make more slaves unless the space aliens actually pop out adult males as part of their survial strategy?
(Score: 1, Touché) by Anonymous Coward on Sunday November 12 2017, @12:01AM
Because, unlike you, SN has some standards?
(Score: 3, Insightful) by DBCubix on Saturday November 11 2017, @10:10PM (3 children)
The summary doesn't state which crypto algorithm is vulnerable. That would be useful to know for those not feeling like RTFA.
(Score: 5, Informative) by zocalo on Saturday November 11 2017, @10:21PM (2 children)
UNIX? They're not even circumcised! Savages!
(Score: 5, Informative) by RamiK on Saturday November 11 2017, @10:24PM
https://en.wikipedia.org/wiki/ROCA_vulnerability [wikipedia.org]
compiling...
(Score: 5, Interesting) by Anonymous Coward on Saturday November 11 2017, @11:16PM
This was exactly the concern put forth when Palladium/TPM were being pushed and has been a concern regarding FIPS standards certification since the 1990s. Infineon specifically has been at the forefront of those activities so claims that this exploit was accidental rather than intentional ring hollow.
This was a government mandated backdoor in a government mandated feature INTENDED to compromise the world's encryption integrity.
Having successfully done so and been detected, it is time for smaller governments like Estonia to band together and produce their own fab and get trustworthy mathmaticians helping to craft new standards (and attempt to break them) that are actually secure by design and product new chips, even if they are of significantly older and cheaper process technologies, to ensure that safe and secure communications exist in the future.
The era of the megacorps needs to end, because unless you agree with the One World Order concept, the lack of corporate diversity across the world is keeping us from ensuring technology works for us, and not for 'them' while spying on us.
(Score: 0) by Anonymous Coward on Sunday November 12 2017, @03:11AM
A list https://gist.github.com/hannob/ad37d9e9e3cbf3b89bc0a8fc80cb9475 [github.com]
and Spain DNI (ID card, now with chip too) is also "on hold", key pair needs to be regenerated, card still valid as in old times of glued photo to specially printed card. http://www.elperiodico.com/es/sociedad/20171109/desactivada-la-firma-digital-de-los-dni-2015-posibles-fallos-de-seguridad-6412261 [elperiodico.com]
(Score: 0) by Anonymous Coward on Sunday November 12 2017, @04:43AM (6 children)
"The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion." so all public key encription...well that either suck or it's a fud lie
help me out I cannot tell the difference anymore
(Score: 3, Informative) by JNCF on Sunday November 12 2017, @05:44AM (5 children)
Emphasis added, obviously. Read this as "any key that is affected, but not those keys which are not affected." There is discussion in the comments above about what is affected (a specific implementation of RSA).
(Score: 3, Interesting) by choose another one on Sunday November 12 2017, @11:03AM (4 children)
It isn't even the implementation of RSA really, it is the generation of the keys in the first place.
The keys are supposed to be generated from a pair of (really big) prime numbers, _random_ prime numbers. They are supposed to be extremely hard to guess/calculate from the public key information (which includes the product of the primes).
Some complete and utter moron decided that generating random large prime numbers was too "hard" so they would instead generate them from a formula (with a couple of much smaller random numbers as input). Turns out that when the primes come from a particular formula it is a lot easier to find what they are given the product, I mean gee who'd have thought...
This is very roughly like your bank saying "you need to choose and remember a six digit pin, this might be hard, so we've mandated that your pin is the date-of-birth of an immediate family member, please choose your family member randomly to be secure".
I mean, what could possibly go wrong...
(Score: 3, Interesting) by maxwell demon on Sunday November 12 2017, @02:49PM (3 children)
No, your hypothetical bank scenario is more secure because you would have to know the birth dates of the individual's relatives. A better analogy would be for the PIN to be derived from the street address of one of the bank's branches.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by choose another one on Sunday November 12 2017, @09:14PM (2 children)
Nah, street address of a branch is not memorable (most know _where_ their bank is, but not the address) and isn't immutable either, plus when the bank closes the branch your PIN becomes invalid...
Dates-of-birth on the other hand are both immutable and discoverable with realistic searching effort using public data - pretty much like the vulnerable key primes in fact :-)
(Score: 2) by maxwell demon on Sunday November 12 2017, @09:21PM (1 child)
I apparently did not get my point across: The birth date of a family member is dependent on the person. So if you do not know what person that PIN belongs to, you have no chance to guess the birth date of that person't closest relative. But in this flaw, the list of primes to be chosen from is the same for everyone. So you need to have one list and can break the keys of everyone without further research.
And memorability doesn't matter in this analogy.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by choose another one on Sunday November 12 2017, @11:36PM
The PIN secures against card loss, if you have the card then you have the name - it's on the card. Also if you nicked the whole wallet, you probably also have other ID information to uniquely ID the person (names are not unique, although as it happens, just the name, initial and country will do it in my case). That is one reason you aren't supposed to use your own birthday as PIN (although bizarrely my bank used to let you _reset_ online banking password/pin with just the details on the card + DOB - even the banks aren't immune to stupid :-( ).
Anyway, seems we're all agreed that they're all dumb ideas.
It is still a long list to search, probably unfeasibly large for a rainbow table, so breaking everyone is not the problem. What is feasible is breaking a given vulnerable key, with people estimating the compute cost of factoring a vulnerable 2048 bit key may be $1000.
(Score: 0) by Anonymous Coward on Sunday November 12 2017, @10:52AM (5 children)
Security by obscurity does not work!
(Score: 0) by Anonymous Coward on Sunday November 12 2017, @12:04PM (2 children)
Sure it does. You just don't know it exists :^)
(Score: 1, Interesting) by Anonymous Coward on Sunday November 12 2017, @03:16PM (1 child)
This was a case of a company advertising that the entropy in their keys was on the order of 2**512, when in fact it was on the order of 2**100.
They used obscurity to hide this fraud, and this obscurity was the main thing providing security.
Except that it did not provide security from those with knowledge of the fraud.
The interesting question is how did this get into such a widely used product.
Was it incompetence or by design?
Who built it and who reviewed it?
Where else could this have happened?
(Score: 2) by choose another one on Sunday November 12 2017, @09:40PM
Why does it have to by "or", seriously ?
The most dangerous type of idiot - one who has far too much confidence and no idea of the limits of his/her knowledge and capability.
The type of idiot who hasn't read and understood a single basic article on the importance of random number generation in crypto yet thinks they are competent to implement shortcuts in crypto implementations to speed them up.
The type of idiot who can convince themselves, and others, that they can calculate a significant saving in shoe leather from walking directly across the train tracks rather than up the steps to the bridge and down the other side, and is then surprised (very briefly) to get hit by a train.
Anywhere. Sadly. See https://xkcd.com/221/ [xkcd.com] - you think Randall doesn't get inspiration from real life?
(Score: 2) by FatPhil on Sunday November 12 2017, @10:33PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by choose another one on Monday November 13 2017, @12:02AM
Still not sure it's relevant - it shows the certification process is crap, but that is independent of this flaw.
In fact in this case the obscurity was never broken, the security flaw was found by analyzing generated public keys.
It's rather hard to do SbO with public keys because the whole point is that they are public, and flawed key generation will show in the keys that are generated...