The researchers said they informed officials in Taiwan's government of the problems and were told that as many as 10,000 cards might suffer similar weaknesses. The estimate, the researchers told Ars, were based on internal records from the Ministry of Interior Certificate Authority and Chunghwa Telecom, Taiwan's official digital certificate authority and the smartcard manufacturer, respectively.

"The government claims that they will track down and replace all the flawed cards but hasn't done so at the time of writing," the researchers told Ars. "So everybody with an RSA-1024 card could have a weak one." The newer RSA 2048-bit cards they examined didn't suffer from the same weaknesses, although they didn't rule out the possibility those cards contain more subtle flaws that make them just as vulnerable.

Not the first time

The discovery has roots in research published last year that made another astonishing discovery: four of every 1,000 1024-bit keys found on the Internet provided no cryptographic security at all. The reason: as with Taiwan's Citizen Digital Certificate keys, the almost 27,000 cryptographically worthless keys they found shared primes with at least one other key. One of the research teams that discovered the keys later released a detailed analysis of what went wrong. Since almost all the keys were from "self-signed" certificates used to protect routers and other devices, the researchers speculated the hardware lacked the robust RNGs found in more advanced platforms and applications.

Two of the three mathematical techniques used to factor the keys in the Taiwanese smartcards are well-known and unsophisticated. They are trial division and use of things like the Binary Greatest Common Divisory Algorithm for finding greatest common divisors. A third technique know as Coppersmith's attack is significantly more advanced, and the researchers said it represents the first recorded time it has been used to break a cryptographic system.

All three techniques can be carried out on unsophisticated computers to factor weak keys in a matter of hours. Using the same methods and hardware to factor 1024-bit keys that are generated properly would "not have found those primes within the expected lifetime of the universe," the researchers said. (Other, more sophisticated algorithms, when carried out on supercomputers, represent a much bigger threat to 1024-bit keys.)

"Our results make it pretty clear that the more computational effort we expend, the more keys we were able to factor," the researchers wrote. "We did enough computation to illustrate the danger, but a motivated attacker could easily go further."

As crucial as random number generation (RNG) is to cryptographic security, the task remains maddeningly difficult to do. It requires a computer to carry out what scientists call non-deterministic behavior, which typically causes malfunctions in most other contexts. Frequently, extremely subtle bugs can cause RNGs, assumed to be robust, to produce highly predictable output. One example was an almost catastrophic vulnerability in the Debian distribution of Linux. The overlooked bug caused vulnerable machines to generate dangerously weak cryptographic keys for more than 20 months before it was diagnosed and fixed in mid 2008.

To prevent these common mistakes, standards bodies sponsored by governments around the world have created a set of rigid criteria cryptographic systems must pass to receive certifications that can be trusted. The certifications are often a condition of a hardware or software platform being adopted or purchased by the government agency or contractor.

But despite passing both the FIPS 140-2 Level 2 and Common Criteria standards, the RNG process used to generate the weak cards clearly didn't meet their mandated requirements. FIPS 140, for instance, specifies that output of a hardware RNG on the processor of the smartcard must (a) be fed through tests to check whether it's random and unbiased, and only then can the output (b) be used as a seed for a so-called deterministic random bit generator, which in many settings is referred to as a pseudo RNG. The hardware RNG was provided by the AE45C1, a CPU manufactured by Renesas that sits on top of the smartcard. The deterministic random bit generator was driven by the smartcard firmware provided by Chunghwa Telecom.

"It's pretty clear that neither step happened in this case," the researchers told Ars. "Even without performing step (a), step (b) should have made the keys appear individually random, even if they were not. Instead, the factored keys contained long strings of 0 bits or periodic bit patterns that suggest that step (b) was skipped, and what we see is the direct unwhitened output from the malfunctioning hardware."

The seven researchers are Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, and Nicko van Someren. More information about them and their findings is available here. The failure has implications not only for the citizens of Taiwan but for internationally certified cryptographic technologies everywhere.

"It is a common practice to advertise chips as certified if they get certification on some part of it, but the certification actually means very little," the researchers told Ars. "The whole system is broken. "Two certifications didn't stop the bad hardware RNG on the card; how can we trust them to find more sophisticated flaws such as intentional back doors?"