New Factorization Attack with Security Tokens Allows Attacker to compute Millions of Smart Cards Private Key
Newly Discovered Factorization Attack in Cryptographic library that is used for generation RSA Key allows Attacker to compute Millions of cryptographic smartcards, security tokens, and Motherboard Chipsets Private key by having a target’s public key.
The Public and Private key pair comprised of two uniquely related cryptographic keys.The Public Key is what its name suggests – Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.
This Serious security Flow Discovered in cryptographic smartcards, security tokens that are Manufactured by Infineon Technologies AG and also integrated into authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating system.
Factorization Attack in this Cryptographic library allows to impersonate key owners, decrypt sensitive data , bypass the Protected PCs by Attackers.
These Encryption key used in some of high-security Standard Platforms such as national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.
According to Researchers ,The Public Key is what its name suggests – Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.
In this Case No Physical access to Vulnerable Devices is required and Public Key is Enough to Compute the Private key of Vulnerable Smartcards,Security tokens and Mother Board Chipset.
This Flow not Depends on a fault in random number generator but all RSA keys generated by a vulnerable chip are impacted.
Researchers broke down the cost of the practical factorization attack to $76 for the 1024-bit key and $40,000 for the 2048-bit key, both running on an Amazon AWS c4 computation instances. But they said a 4096-bit RSA key is not practically factorizable now, but “may become so, if the attack is improved.
According to Researcher, The following key length ranges are now considered practically factorizable->> 512 to 704 bits, 992 to 1216 bits and 1984 to 2144 bits.
Note that 4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved.
“The actual impact of the vulnerability depends on the usage scenario, availability of the public keys and the lengths of keys used. We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable”. Researcher said.
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.