A cryptographic flaw that was first disclosed three weeks ago has been revealed to be much worse than first thought. The flaw allows hackers to break the encryption keys of millions - possibly even hundreds of millions - of secure services. According to the cryptographers who conducted the latest research, the exploit means that many high-stake security services previously thought to be secure are now known to be at risk.
The announcement has been quickly followed up by the Estonian government’s decision to suspend the use of its national ID card. That card is used by around 760,000 citizens for activities such as encrypting sensitive documents, voting, and filing taxes. The ID card has been suspended after it was realized that initial claims - that the flaw is too costly to exploit on a large scale - were incorrect.
Massive Vulnerability
The disastrous security vulnerability was discovered by researchers from Masaryk University in the Czech Republic, Enigma Bridge in the UK, and Ca' Foscari University in Italy. It is caused by a flaw in a popular code library used in many important security settings. These include not only national identity cards but also software and application signing, and security on Trusted Platform Modules on vital government and corporate systems (including Microsoft).
The flaw allows hackers to ascertain private keys simply by analyzing the corresponding public part of the key. According to the researchers who carried out the original research, hackers could penetrate a 1024-bit key for $38 in around 25 minutes (using an average commercial cloud-based server). That expense rose considerably - to $20,000 and nine days - for decrypting a 2048-bit key.
Incorrect Initial Report
This initial report resulted in an industry-wide downplaying of the vulnerability. The Estonian government declared that the flaw was too expensive to cause any real concern:
Large-scale vote fraud is not conceivable due to the considerable cost and computing power necessary of generating a private key.
This claim was echoed by other commercial and private organizations utilizing these types of keys to secure their systems. Netherlands-based smart-card maker Gemalto, for example, was amongst the firms that admitted that it “may be affected,” but did not show any initial signs that there was cause for concern.
Now, however, secondary research published at the weekend has revealed that those initial statistics were wrong. According to researchers Daniel J Bernstein and Tanja Lange, they have managed to improve the efficiency of the attack by around 25%. This has caused panic that it could be possible to further increase the efficiency of the attack.
This is a massive concern because the flaw has been around for five years (the code library was developed by German chipmaker Infineon and released at the latest in 2012). In addition, the cryptographic keys in question are currently used by two internationally recognized security certification standards.
Immediate Concern
The new revelations have forced Estonia to not only close access to its database (which contains public keys) but also to suspend the use of any identity cards released since 2014. In addition, it means that smart-cards such as Gemalto’s IDPrime.NET - which is used to provide two-factor authentication to Microsoft employees and many other firms - may be more vulnerable than initially thought.
The original report, published by researchers including Petr Svenda, an active member of Centre for Research on Cryptography and Security, purposefully omitted specifics of the factorization attack. It was hoped that this would increase the time necessary for hackers in the wild to crack the vulnerability.
The new research published by Bernstein and Lange, however, demonstrates that researchers are already managing to improve on the initial attack. This creates massive uncertainty and raises the concern that hackers and cybercriminals might also be able to hack the encryption.
Bernstein and Lange believe that it might be possible to use fast graphics cards to bring down the costs of cracking the 2048-bit key to just $2,000. This is a much smaller sum than the initially reported $20,000. Dan Cvrcek, CEO of Enigma Bridge (one of the firms that helped to carry out the original research), has also come forward to express his concerns. He believes that much faster and less expensive attacks than the ones first published are indeed possible:
My impression is that the time and cost estimates cited in the original research have been fairly conservative. I'm not sure whether someone can slash the cost of one key below $1,000 as of today, but I certainly see it as a possibility.
In their research, Bernstein and Lange also mention the possibility that other dedicated technology (that is well equipped to handle the mathematical task of a factorization attack) could also be used by attackers to bring down the costs and time involved in an attack. Among these, the researchers suggested using “dedicated computer gear, possibly equipped with GPU, field programmable gate array, and application-specific integrated circuit chips.”
Who Is Affected?
Although only Estonia has so far suspended use of its identity cards, it is believed that a number of other nations, including Slovakia, are likely to be affected. In fact, Ars Technica has received reports that a European nation's identity card may also be affected. For now, however, Ars has not disclosed which country that is.
In terms of private organizations, it is believed that the ID cards of millions (if not hundreds of millions) of employees may be affected by this flaw. This includes security at top banks and other massive international corporations, which could have been vulnerable for anything between five and ten years.
As for the possibility that this flaw could be used to alter the result of an election significantly, this remains to be conclusively proven. The reality, however, is that in close elections it might only be necessary to hack a small proportion of voters (maybe only 5%) in order to swing an election the other way. If it becomes possible to mount the ROCA attack more quickly and cheaply, then this may become a real concern.
Opinions are the writer's own.