[Cryptography] Response to weak RNGs in Taiwanese and Estonian digital ID cards?

Ondrej Mikle ondrej.mikle at gmail.com
Mon Oct 30 17:23:29 EDT 2017

On 10/27/2017 01:53 AM, Peter Gutmann wrote:
> Ondrej Mikle <ondrej.mikle at gmail.com> writes:
>> As far as I know the RNG in the Infineon cards of Slovak and Estonian IDs is
>> different that the ANSI X9.31 generator described in Matthew Green's article.
> Ah, you need to distinguish between the X9.31 RSA keygen and the X9.31 RNG,
> which is just the X9.17 RNG recycled.  Matt Green's work attacked the X9.31
> RNG (I prefer to think of it as the X9.17 RNG, which is what it really is, and
> in the context of wholesale banking key management it's perfectly adequate,
> pointing out the dangers of cargo cult security design), while the ROCA
> weakness presumably targeted the X9.31 RSA keygen.

The PDF of ROCA is finally available and the RNG in question is on page 3 of the
pdf. Does not look like the ANSI RNGs, though it's unlike any RNG I've seen so far.

Link: https://dl.acm.org/citation.cfm?id=3133969
Direct to pdf:


More information about the cryptography mailing list