On 17/10/17 20:36, Nick Lamb via dev-security-policy wrote:
The bitmasks are effectively lists of expected remainders for each small prime,
if your modulus has an expected remainder for all the 20+ small primes that
distinguish Infineon, there's a very high chance it was generated using their
hardware
Yup, that seems to be it. In fact, according to [1], those lists are
just an optimization for the check N^r = 1 mod p for various values of
r,p (plus some dummy entries with all bits but bit 0 set to 1, which are
useless and apparently further obfuscation; they can be removed to speed
up the test with no effect on the outcome). I believe further tests can
be constructed following that same pattern to further reduce the false
positive rate.
Here's a non-obfuscated version of the modulus check without the
redundant entries:
https://mrcn.st/p/MOEoh2EH
(It's kind of sad seeing trivial obfuscation in a tool like this; come
on guys, this isn't going to slow anyone down, it's just makes you look
silly.)
FWIW, I tested 8 keys generated by affected Yubikeys and all failed the
test (as in were detected), so it seems this issue affects 100% of
generated keys, not just some fraction (or at least 100% of keys
generated on affected hardware are detected by the test tool regardless
of how vulnerable they are).
[1] https://crypto.stackexchange.com/questions/52292/what-is-fast-prime
--
Hector Martin "marcan"
Public key: https://mrcn.st/pub
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
