Factoring RSA keys from certified smart cards: Coppersmith in the wild


This paper explains how an attacker can efficiently factor 184 distinct RSA keys out of more than two million 1024-bit RSA keys downloaded from Taiwan’s national “Citizen Digital Certificate” database. These keys were generated by government-issued smart cards that have built-in hardware random-number generators and that are advertised as having passed FIPS 140-2 Level 2 certification. These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet. The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.

DOI: 10.1007/978-3-642-42045-0_18
View Slides

Extracted Key Phrases

Citations per Year

56 Citations

Semantic Scholar estimates that this publication has 56 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Bernstein2013FactoringRK, title={Factoring RSA keys from certified smart cards: Coppersmith in the wild}, author={Daniel J. Bernstein and Yun-An Chang and Chen-Mou Cheng and Li-Ping Chou and Nadia Heninger and Tanja Lange and Nicko van Someren}, booktitle={IACR Cryptology ePrint Archive}, year={2013} }