ROCA #fail: Even worse than thought (and you don't need to be Estonia to freak out)

Remember last month’s flap about the Return of Coppersmith's Attack (ROCA) and the weak keys? It turns out that cracking the private keys is way easier than we thought.

Independent researchers have played around with the flaw and sped up the process. Then the original researchers sped it up some more. And the estimates don’t even consider using GPUs, FPGAs, and the like. Holy mackerel.

Estonia and other countries are taking this really seriously because their ID cards are based on the flawed code. In this week’s Security Blogwatch, we fear falling skies.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  **** the ****ing ********

State of Security Operations 2017

What’s the craic? Tanja Lange and Daniel J. Bernstein speak of Reconstructing ROCA:

Our best guess is that serious attackers found the … vulnerability years ago and have been quietly exploiting it since then.

We decided to see whether we could reconstruct the attack … rather than waiting for the paper to be released. … Within a week we [had it] running even faster than theirs.

We see many possibilities for [10x] speedups beyond what we implemented.

And Dan Goodin summarizes—Flaw crippling millions of crypto keys is worse than first disclosed:

A crippling flaw affecting … possibly hundreds of millions of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported.

Researchers first … estimated it would [take] 25 minutes to break a vulnerable 1024-bit key and … nine days for a 2048-bit key. [But] Bernstein and … Lange[’s new] attack that [is] 25 percent more efficient.

One [additional] way to improve the attack, Bernstein and Lange said, may be to use fast graphics cards, which have the potential to shave the average cost of factorizing a vulnerable 2048-bit key [by 10x or more].

serious attackers can further reduce costs by buying dedicated computer gear, possibly equipped with GPU, field programmable gate array, and application-specific integrated circuit chips.

What can we learn from this? Here’s annodomini:

This work demonstrates well how users can't rely on the lack of disclosure of details for security. When a vulnerability such as this is found, they must work as fast as possible to mitigate the issue.

It's a race against attackers who could now be re-creating the finding and applying it.

Steve Gibson chooses your ROCA Pain:

If the car you’re driving ever starts making a different sound, it’s probably not an improvement. … And so is the case with attacks on crypto.

It turns out there are other skilled cryptographers on the planet. … They developed an attack that was 25% more efficient.

The original researchers since privately​ ​disclosed​ ​their​ ​own​ ​revised​ ​attack​ ​that's​ ​as much​ ​as​ ​four​ ​times​ more ​efficient.​ [And] it was already within reach for anybody who cared to crack one.

The more you look at some of these problems, the easier it becomes to overcome them.

Ugh, depressed yet? This Anonymous Coward looks on the bright side:

Does this mean DIY free topups hacks for public transport cards, Tollway Transponder, BluRays, CableTV and more is up for grabs? Mexico cartels will be so thankful for the USA passport smartchip — now they have more options.

And here comes the (ahem) expensive implication. Nicholas Fearn reports—Estonian authorities block national ID cards due to ROCA:

Estonia has rendered more than 760,000 national electronic ID cards useless after a cryptographic flaw [allowed] cyber criminals … to clone the cards and commit identity fraud. … These cards are used throughout the country.

Estonian organisations have attempted to issue a patch through a certificate update, but the government has since issued a ban on the cards. [So] the public must update their cards.

Over the next few weeks, Estonians should visit local authorities to replace the cards. … The cards are used for filing taxes, managing healthcare information and other government-related purposes.

We’ve no idea if this report is related, from David Mardiste and Tatiana Ustinova—Estonia arrests suspected Russian FSB agent:

[A] man was stopped at the weekend as he prepared to leave Estonia for Russia. … “A person, who is a Russian citizen, is suspected of acting as an FSB agent in the preparation of a computer crime against the Republic of Estonia,” the prosecutors office said.

Russia’s Federal Security Service, or FSB, is a successor to the KGB. … Estonia, occupied by the Soviet Union until 1991 but now a member of NATO and the European Union, has a strained relationship with its powerful neighbor.

Wait. Pause. Can we be sure he’s Russian? Wise words from Sven “@sakkov” Sakkov‏:

Attribution of malicious cyber activity by a foreign power is much easier if you are able to arrest the perpetrator.

And answering the obvious question, it’s @nthcolumn:

Why did he have to physically go to Estonia? To test the fake ID cards, readers?

I wonder what the Estonians are changing in their cards? dullgiulio knows:

For those wondering: "upgrading the Estonian ID cards" means switching to ECC (P-384).

Slovakia appears to be going down a similar path (albeit with a longer RSA key, rather than using elliptical curves). And now there’s question marks around Belgium’s ID cards, says igor_sk:

The Belgian e-ID cards use Infineon chips so they likely use the Infineon-provided cryptographic library. … This means that we may see a country-wide program of updating firmware and keys on the eID cards like what happened in Estonia.

Meanwhile, it’s about time we heard from “Estonia’s worst American comedian”—Stewart “@StewartEestis” Johnson‏:

Everyone on Twitter now has 280 characters, except in Estonia, where all they have is doubt.


The moral of the story? You don’t need to be a government to take ROCA seriously: Make sure you’re not relying on a keygen that’s been broken since 2008.

And finally …

SCIENCE: Cursing is good for us

 Hat tip: The Sweary Scientist
State of Security Operations 2017

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Topics: Security