Saw this on Arstechnica today and thought I'd pass along the link.

More detailed version of the story available at:

Short version:  Taiwanese Government issued smartcards to citizens.
Each has a 1024 bit RSA key.  The keys were created using a borked
RNG.  It turns out many of the keys are broken, easily factored,
or have factors in common, and up to 0.4% of these cards in fact
provide no encryption whatsoever (RSA keys are flat out invalid,
and there is a fallback to unencrypted operation).

This is despite meeting (for some inscrutable definition of "meeting")
FIPS 140-2 Level 2 and Common Criteria standards.  These standards
require steps that were clearly not done here.  Yet, validation
certificates were issued.

Taiwan is now in the process of issuing a new generation of
smartcards; I hope they send the clowns who were supposed to test
the first generation a bill for that.


The cryptography mailing list

Reply via email to