Informatické kolokvium 12. 12. Troubles with RSA cryptographic keypair generation
Informatické kolokvium 12. 12. 2017, 14:00 posluchárna D2
RNDr. Petr Švenda, Ph.D., FI MU
Troubles with RSA cryptographic keypair generation
Abstrakt: The talk will cover our recent work [1] which resulted in the
discovery of an algorithmic flaw in the construction of primes for RSA key
generation in a widely-used library of a major manufacturer of cryptographic
hardware. The primes generated by the library suffer from an entropy loss so
severe, that practical factorization of commonly used key lengths up to 2048
bits is possible. Our method based on an extension of Coppersmith’s
factorization attack requires no additional information except for the value of
the public modulus and does not depend on a weak or a faulty random number
generator. The library in question is found in NIST FIPS 140-2 and CC EAL 5+
certified devices used for a wide range of real-world applications, including
citizens identity cards, Trusted Platform Modules, secure email, and tokens for
authentication or software signing. The findings directly resulted in the
revocation of millions of certificates in Estonia, Slovakia, Spain and other
countries and major security update rolled by Microsoft, Google, HP, Lenovo, and
others.
The talk will discuss how the vulnerability was found, what was the root cause
for its existence, our experience from the responsible disclosure process and
the options how to systematically prevent such a large-scale failure in the
future.
[1] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas: The
Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA
Moduli, 24th ACM Conference on Computer and Communications Security (CCS'2017),
2017.