[Cryptography] Broken RNG renders gov't-issued smartcards easily hackable.
Ray Dillinger
bear at sonic.net
Fri Oct 11 13:38:20 EDT 2013
Saw this on Arstechnica today and thought I'd pass along the link.
http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/
More detailed version of the story available at:
https://factorable.net/paper.html
Short version: Taiwanese Government issued smartcards to citizens.
Each has a 1024 bit RSA key. The keys were created using a borked
RNG. It turns out many of the keys are broken, easily factored,
or have factors in common, and up to 0.4% of these cards in fact
provide no encryption whatsoever (RSA keys are flat out invalid,
and there is a fallback to unencrypted operation).
This is despite meeting (for some inscrutable definition of "meeting")
FIPS 140-2 Level 2 and Common Criteria standards. These standards
require steps that were clearly not done here. Yet, validation
certificates were issued.
Taiwan is now in the process of issuing a new generation of
smartcards; I hope they send the clowns who were supposed to test
the first generation a bill for that.
Bear
More information about the cryptography
mailing list