News and events archive

From the faculty

  • Informatics colloquium 12. 12. Troubles with RSA cryptographic keypair generation

    Informatics colloquium 12. 12. 2017, 14:00 lecture hall D2 RNDr. Petr Švenda, Ph.D., FI MU Troubles with RSA cryptographic keypair generation Abstract: The talk will cover our recent work [1] which resulted in the discovery of an algorithmic flaw in the construction of primes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes generated by the library suffer from an entropy loss so severe, that practical factorization of commonly used key lengths up to 2048 bits is possible. Our method based on an extension of Coppersmith’s factorization attack requires no additional information except for the value of the public modulus and does not depend on a weak or a faulty random number generator. The library in question is found in NIST FIPS 140-2 and CC EAL 5+ certified devices used for a wide range of real-world applications, including citizens identity cards, Trusted Platform Modules, secure email, and tokens for authentication or software signing. The findings directly resulted in the revocation of millions of certificates in Estonia, Slovakia, Spain and other countries and major security update rolled by Microsoft, Google, HP, Lenovo, and others. The talk will discuss how the vulnerability was found, what was the root cause for its existence, our experience from the responsible disclosure process and the options how to systematically prevent such a large-scale failure in the future. [1] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas: The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli, 24th ACM Conference on Computer and Communications Security (CCS'2017), 2017.

    Web address