[Cryptography] Painted into a corner

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Dec 20 09:26:13 EST 2017


Cybernetica have just released their report on the Infineon (and by extension
CC and FIPS) fiasco as it applies to the Estonian national ID card:

https://cyber.ee/en/news/cybernetica-case-study-solving-the-estonian-id-card-case/

This points out that:

  The alternative was to create a solution that would bypass the vulnerability
  by updating the existing cards. There is a requirement that keys must be
  generated on-card and never leave the card. This is required in order to be
  able to use the ID-card to give legally binding digital signatures.

So you've got a security system for which the regulations say you need to get
a FIPS and/or CC certification that's worthless in guaranteeing security, and
you can't fix it because of further regulations that say you have to use the
FIPS/CC-certified broken security.

Ouch.

What's really disturbing about this is that the solution will continue to be
FIPS/CC-certified Infineon cards, the same things that failed the last time:

  Devising the concept for the solution itself was done rather quickly, mainly
  due to the lack of alternatives

Peter.


More information about the cryptography mailing list