Entire nation's ID cards vulnerable to ROCA attack

For discussions about security.
Post Reply
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Entire nation's ID cards vulnerable to ROCA attack

#1 Post by prehistoric »

Estonia has recalled all of its national ID cards with chips based on RSA encryption after a new attack became economically feasible. They are in the process of issuing new ID with chips that use elliptic curve cryptography. This is probably not the only country affected.

Note: Estonia is particularly concerned because they have a neighbor with the technology to break their ID system, and motivation to exploit this.

Ordinarily, I would have said that a cipher which required factoring a 2048-bit number was well beyond the state of the art. The problem here is that knowledge of the public key could be used to reconstruct the private key with a reasonable amount of computation, using existing equipment. This is probably a flaw in the way the cipher was implemented, not in the fundamental theory of RSA. Inverting a cipher based on elliptic curves to discover the private key is currently much less well understood.

This discovery was something of a surprise when it first came out because RSA was not a trivial exercise in amateur cryptography. What has changed recently is that a previous attack has been improved to the point it really could be used.

Next question: how many other chip cards are vulnerable? If the cost of breaking a system is less than the value of the money it protects you can expect change to happen rapidly.

How many proprietary systems are simply variations on similar techniques using the idea that "security through obscurity" will protect the vendors? Just because a great deal of money is involved doesn't mean really dumb mistakes will not happen. A whole series of video gambling machines turned out to be using a pseudo-random number generator copied from Don Knuth's book on Seminumerical Algorithms. The problem with this is that an algorithm will always produce the same sequence of numbers when started over with the same seed value.

Post Reply