Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 11 Dec 2017, 09:31
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Entire nation's ID cards vulnerable to ROCA attack
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [1 Post]  
Author Message
prehistoric


Joined: 23 Oct 2007
Posts: 1691

PostPosted: Mon 06 Nov 2017, 22:33    Post subject:  Entire nation's ID cards vulnerable to ROCA attack
Subject description: Estonia's ID cards based on RSA encryption
 

Estonia has recalled all of its national ID cards with chips based on RSA encryption after a new attack became economically feasible. They are in the process of issuing new ID with chips that use elliptic curve cryptography. This is probably not the only country affected.

Note: Estonia is particularly concerned because they have a neighbor with the technology to break their ID system, and motivation to exploit this.

Ordinarily, I would have said that a cipher which required factoring a 2048-bit number was well beyond the state of the art. The problem here is that knowledge of the public key could be used to reconstruct the private key with a reasonable amount of computation, using existing equipment. This is probably a flaw in the way the cipher was implemented, not in the fundamental theory of RSA. Inverting a cipher based on elliptic curves to discover the private key is currently much less well understood.

This discovery was something of a surprise when it first came out because RSA was not a trivial exercise in amateur cryptography. What has changed recently is that a previous attack has been improved to the point it really could be used.

Next question: how many other chip cards are vulnerable? If the cost of breaking a system is less than the value of the money it protects you can expect change to happen rapidly.

How many proprietary systems are simply variations on similar techniques using the idea that "security through obscurity" will protect the vendors? Just because a great deal of money is involved doesn't mean really dumb mistakes will not happen. A whole series of video gambling machines turned out to be using a pseudo-random number generator copied from Don Knuth's book on Seminumerical Algorithms. The problem with this is that an algorithm will always produce the same sequence of numbers when started over with the same seed value.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [1 Post]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0266s ][ Queries: 13 (0.0050s) ][ GZIP on ]