[Cryptography] [FORGED] Response to weak RNGs in Taiwanese and Estonian digital ID cards?

Ondrej Mikle ondrej.mikle at gmail.com
Thu Oct 26 17:49:12 EDT 2017

On 10/25/2017 03:28 AM, Peter Gutmann wrote:
> What I'd like to see is a response from the organistions who certified them as
> secure.  I've already posted this as part of a longer message last week, but
> I'll re-post it to make it an open question to both NIST and the CC labs, and
> in particular it's apropos right now due to the failure of yet another must-
> be-used-for-FIPS-certification RNG (up until 2016):
> https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/
> (as Matt Green points out, it's been known for nearly two decades that that
> generator has issues, which is why I used it as a postprocessor for the actual
> RNG in my code.  So the NIST version gets certified and the actual RNG
> provides the security, which is a pretty nonsensical situation to be in).

As far as I know the RNG in the Infineon cards of Slovak and Estonian IDs is
different that the ANSI X9.31 generator described in Matthew Green's article.
Can't be yet 100% sure since the paper will appear in November.

Also I am not sure if similar mass RNG failure first appeared in routers that
was cracked with batch GCD (https://factorable.net/weakkeys12.extended.pdf).
Then the Taiwanese RNG fault was published (also batch GCD, then Coppersmith).

The attack on Slovak and Estonian IDs I think only uses Coppersmith, although
one of their test sites on their page does the GCD against known factors - but
that tast marked tested all keys I tested as secure - whereas the test by the
ROCA's authors marked them as insecure.

Can a RNG fault of this type be tested beforehand? Here we currently miss how
they know the algorithm that was used in the Infineon RNG, which will probably
provide the answer.


More information about the cryptography mailing list