[Cryptography] [FORGED] Response to weak RNGs in Taiwanese and Estonian digital ID cards?

[Peter Gutmann]

What I'd like to see is a response from the organistions who certified them as
secure.  I've already posted this as part of a longer message last week, but
I'll re-post it to make it an open question to both NIST and the CC labs, and
in particular it's apropos right now due to the failure of yet another must-
be-used-for-FIPS-certification RNG (up until 2016):

https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/

(as Matt Green points out, it's been known for nearly two decades that that
generator has issues, which is why I used it as a postprocessor for the actual
RNG in my code.  So the NIST version gets certified and the actual RNG
provides the security, which is a pretty nonsensical situation to be in).

Anyway, the open questions to NIST and the CC labs:

  How could a device with multiple FIPS and CC evaluations stretching over
  many years have a broken RSA key generator, the very thing that the
  evaluation is meant to check.  You can't even get a FIPS level 1 without
  having the RSA keygen validated, so how did this happen?
  
  Will Infineon's products now be decertified like OpenSSL was?  
  
  Will there be an investigation as to how a broken product passed its FIPS
  and CC certifications multiple times to make sure this doesn't happen for
  other products?
  
  Given that the certification doesn't seem to be able to catch issues like
  this, how will we have any confidence in the keygen of other evaluated
  products?

Peter.