[Cryptography] Painted into a corner
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Dec 20 09:26:13 EST 2017
Cybernetica have just released their report on the Infineon (and by extension
CC and FIPS) fiasco as it applies to the Estonian national ID card:
https://cyber.ee/en/news/cybernetica-case-study-solving-the-estonian-id-card-case/
This points out that:
The alternative was to create a solution that would bypass the vulnerability
by updating the existing cards. There is a requirement that keys must be
generated on-card and never leave the card. This is required in order to be
able to use the ID-card to give legally binding digital signatures.
So you've got a security system for which the regulations say you need to get
a FIPS and/or CC certification that's worthless in guaranteeing security, and
you can't fix it because of further regulations that say you have to use the
FIPS/CC-certified broken security.
Ouch.
What's really disturbing about this is that the solution will continue to be
FIPS/CC-certified Infineon cards, the same things that failed the last time:
Devising the concept for the solution itself was done rather quickly, mainly
due to the lack of alternatives
Peter.
More information about the cryptography
mailing list