Removing the single points of failures for security systems
We analyzed the RSA keypair generation implementation in the widely used secure hardware chips and discovered an algorithmic flaw in a widely-used library of a major manufacturer of cryptographic hardware [1]. The flaw was overlooked by certification bodies in process of NIST FIPS 140-2 and Common Criteria EAL 5+ for more than 10 years and resulted in the widely deployed vulnerable devices including identity cards, Trusted Platform Modules, PGP, and tokens for authentication or software signing. The worst cases for the factorization of 1024 and 2048-bit keys are less than 3 CPU-months and 100 CPU-years on a single core of common recent CPUs. The attack can be parallelized on multiple CPUs.
How is it possible that such a serious flaw was overlooked for so long even when expert cryptographers were involved in its analysis? And more importantly, what can we do to prevent a similar situation in feature?
The talk will first cover the RSA vulnerability found, impacted areas and available mitigation options. The second part will address the more fundamental question - how to make cryptographic systems (key generation, digital signatures, data encryption) which will stay secure even after an inevitable security failure of some of its parts.
[1] ROCA: Vulnerable RSA generation (CVE-2017-15361), roca.crocs.fi.muni.cz
Petr Švenda
Petr is a computer security researcher at Masaryk University in Brno. He engages in research areas of cryptographic protocols for resource-limited devices like smartcards or wireless sensor networks including secure multi-party computation with implication to hardware trojans prevention or hardened cryptocurrency wallets. He enjoys the analysis of secure hardware including the quality of random number generator and entropy extraction. He pushes for more openness and support for FOSS development on JavaCard platform and smartcards in general. He also focuses on a utilization of cryptographic smartcards in the complex scenarios and the development of secure applications on such platforms in Enigma Bridge, Cambridge, UK.
Phone: +420 737 215 220
E-mail: