A crippling flaw in a widely used code library has fatally undermined
the security of millions of encryption keys used in some of the
highest-stakes settings, including national identity cards, software
and application signing, and trusted platform modules protecting
government and corporate computers.
The weakness allows attackers to calculate the private portion of any
vulnerable key using nothing more than the corresponding public
portion. Hackers can then use the private key to impersonate key owners,
decrypt sensitive data, sneak malicious code into digitally signed
software, and bypass protections that prevent accessing or tampering
with stolen PC's.
The 5 year old flaw is also troubling because it's
located in code that complies with two internationally recognized
security certification standards that are binding on many governments,
contractors, and companies around the world.
The code library was
developed by German chipmaker Infineon, and has been generating weak keys
since 2012 at the latest.
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
No comments:
Post a Comment
Spammers, stay out. Only political and video game discussion here.