This paper explains how an attacker can efficiently factor 184 distinct RSA keys out of more than two million 1024-bit RSA keys downloaded from Taiwan’s national "Citizen Digital Certificate" database. These keys were generated by government-issued smart cards that have built-in hardware random-number generators and that are advertised as having passed FIPS 140-2 Level 2 certification.
These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.
The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.
Keywords: RSA; smart cards; factorization; Coppersmith; lattices
|Title of host publication||Advances in Cryptology - ASIACRYPT 2013 (19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013. Proceedings)|
|Editors||K. Sako, P. Sarkar|
|Place of Publication||Berlin|
|Publication status||Published - 2013|
|Name||Lecture Notes in Computer Science|