On November 3, Estonia suspended hundreds of thousands of digital identity cards due to a massive cryptographic flaw.
The flaw, called the Return of the Coppersmith Attack (ROCA) affects a library developed by the German chipmaker Infineon: RSA Library version v1.02.013, which is used to generate public and private RSA keys on a smartcard rather than a general purpose computer. Generally public keys are meant to be distributed widely to generate messages that only people holding the private key can read. However this version of this library often generates public keys vulnerable to factorization: the prime numbers used to generate the private and public keys can be determined from the public keys relatively quickly. This allows the private key to be constructed by an attacker. Infineon used a vulnerable algorithm to create these prime numbers in an attempt to boost performance.
Using the private key, a hacker can impersonate key owners and decrypt the key owner’s private data. Not all keys of a given size are equally vulnerable, but a vulnerability check only takes 1 millisecond to complete.
This version of the library was released back in 2012, and complied with security certification standards binding on governments and businesses the world over. The certification process did not manage to uncover this flaw back then. Today, there may be tens or hundreds of weak keys out there, including the unfortunate Estonian identity cards. The Estonian government was notified of the flaw by researchers back in August, but back then the exploit did not seem feasible.
The ROCA exploit was revealed to the public in October and since then, many teams have found ways to make the exploit faster and more efficient. It may be possible to factorize a single public key at a cost of $1000 or $2000 using specialized hardware such as GPUs, FPGAs or entire integrated circuits optimized for factorizing. As research progressed, the Estonian government finally acted.
The Estonian Police and Border Guard suspended 760,000 digital identity cards. These cards are used for filing taxes, encrypting sensitive documents and even for voting. That last use is critical: if even 10% of these cards were compromised, that would be enough to flip an election. Every card issued from October 16, 2014 all the way to October 25, 2017 has been suspended. New cards will use elliptical curve cryptography rather than the vulnerable version of the RSA library.
While Estonia has acted, many other players may still be at risk. Slovakia issues vulnerable identity cards, as does a number of private companies. If they do not act quickly, they may find their secrets revealed to the public.
Leave a Reply