Abstract
This paper explains how an attacker can efficiently factor 184 distinct RSA keys out of more than two million 1024-bit RSA keys downloaded from Taiwan’s national “Citizen Digital Certificate” database. These keys were generated by government-issued smart cards that have built-in hardware random-number generators and that are advertised as having passed FIPS 140-2 Level 2 certification.
These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.
The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.
Chapter PDF
Similar content being viewed by others
References
ANSI. ANSI X9.31:1998: Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA). American National Standards Institute (1998)
Bernstein, D.J.: How to find the smooth parts of integers (May 2004), http://cr.yp.to/papers.html#smoothparts
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. In: Stern, J. (ed.) EUROCRYPT. LNCS, vol. 1592, pp. 1–11. Springer (1999)
Cadé, D., Pujol, X., Stehlé, D.: fpLLL (2013), http://perso.ens-lyon.fr/damien.stehle/fplll/
Ltd. Chunghwa Telecom Co. Hicos pki smart card security policy (2006), http://www.cryptsoft.com/fips140/vendors/140sp614.pdf
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT. LNCS, vol. 1070, pp. 178–189. Springer (1996)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
Decker, W., Greuel, G.-M., Pfister, G., Schönemann, H.: Singular 3-1-6 — A computer algebra system for polynomial computations (2012), http://www.singular.uni-kl.de
Faugère, J.-C., Marinier, R., Renault, G.: Implicit factoring with shared most significant and middle bits. In: Nguyen, P.Q., Pointcheval, D. (eds.) Public Key Cryptography. LNCS, vol. 6056, pp. 70–87. Springer (2010)
Bundesamt für Sicherheit in der Informationstechnik. Certification report BSI-DSZ-CC-0212-2004 for Renesas AE45C1 (HD65145C1) smartcard integrated circuit version 01 (2004), https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212a_pdf.pdf?__blob=publicationFile
Bundesamt für Sicherheit in der Informationstechnik. Evaluation of random number generators (2013), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Zertifierung/Interpretation/Evaluation_of_random_number_generators.pdf?__blob=publicationFile and https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/AnwendungshinweiseundInterpretationen/AISCC/ais_cc.html
Granville, A.: Harald Cramér and the distribution of prime numbers. Scand. Actuarial J. 1995(1), 12–28 (1995)
Heninger, N., Durumeric, Z., Wustrow, E., Alex Halderman, J.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)
Heninger, N., Shacham, H.: Reconstructing rsa private keys from random key bits. In: Halevi, S. (ed.) CRYPTO. LNCS, vol. 5677, pp. 1–17. Springer (2009)
Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT. LNCS, vol. 5350, pp. 406–424. Springer (2008)
Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC. LNCS, vol. 2146, pp. 51–66. Springer (2001)
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO. LNCS, vol. 7417, pp. 626–642. Springer (2012)
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
May, A., Ritzenhofen, M.: Implicit factoring: On polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography. LNCS, vol. 5443, pp. 1–14. Springer (2009)
MOICA. Safety questions (2013), http://moica.nat.gov.tw/html/en_T2/faq22-066-090.htm
National Institute of Standards and Technology (NIST). Security requirements for cryptographic modules. Federal Information Processing Standards Publication (FIPS PUB) 140-2 (May 2001), http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf (updated December 03, 2012), See http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf for differences between this and FIPS-140-1
National Institute of Standards and Technology (NIST). Recommendation for random number generation using deterministic random bit generators. NIST Special Publication (NIST SP) 800-90A (January 2012)
Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A coding-theoretic approach to recovering noisy RSA keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT. LNCS, vol. 7658, pp. 386–403. Springer (2012)
Stein, W.A., et al.: Sage Mathematics Software (Version 5.8). The Sage Development Team (2013), http://www.sagemath.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bernstein, D.J. et al. (2013). Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. In: Sako, K., Sarkar, P. (eds) Advances in Cryptology - ASIACRYPT 2013. ASIACRYPT 2013. Lecture Notes in Computer Science, vol 8270. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42045-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-42045-0_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42044-3
Online ISBN: 978-3-642-42045-0
eBook Packages: Computer ScienceComputer Science (R0)