On Monday, 16 October 2017 23:15:51 UTC+1, Jakob Bohm wrote: > They have also obfuscated their test by providing bitmasks as decimal > bigints instead of using hexadecimal or any other format that makes the > bitmasks human readable.
The essential fingerprinting trick comes down to this (I had to work all this out while I was discussing it with Let's Encrypt's @cpu yesterday): Infineon RSA moduli have weird properties, when you divide them by some (but not all) small primes the remainder isn't zero (which would be instantly fatal to security) but is heavily biased. For example when divided by 11 the remainder is always 1 or 10. The bitmasks are effectively lists of expected remainders for each small prime, if your modulus has an expected remainder for all the 20+ small primes that distinguish Infineon, there's a very high chance it was generated using their hardware, although it isn't impossible that it was selected by other means. The authors could give firm numbers but I have estimated the false positive rate as no more than 1-in 2 million. If any of the remainders are "wrong" then your keys weren't generated using this Infineon library, there is no "false negative" rate. I believe the November paper will _not_ announce a new category of RSA weak keys, but instead will describe how to get better than chance rates of guessing RSA private key bits from the public modulus _if_ the key was generated using Infineon's library. Such knowledge can be leveraged into a cost effective attack using existing known techniques. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy