Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan's secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers.

The crippling weaknesses uncovered in the Taiwanese Citizen Digital Certificate program cast doubt that certifications designed to ensure cryptographic protections used by governments and other sensitive organizations can't be circumvented by adversaries, the scientists reported in a research paper scheduled to be presented later this year at the Asiacrypt 2013 conference in Bangalore, India. The flaws may highlight shortcomings in similar cryptographic systems used by other governments around the world since the vulnerable smartcards used in the Taiwanese program were advertised as having passed the FIPS 140-2 Level 2 and the Common Criteria standards. The certifications, managed by the National Institute of Standards and Technology (NIST) and its counterparts all over the world, impose a rigid set of requirements on all cryptographic hardware and software used by a raft of government agencies and contractors.

“Trivially broken keys”

The team of scientists uncovered what their paper called a "fatal flaw" in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren't based on discernible patterns. Randomness is a crucial ingredient in ensuring adversaries can't break the cryptographic keys underpinning the smartcards issued to Taiwanese citizens.

Out of slightly more than 2 million 1024-bit RSA keys the researchers examined, an astonishing 184 keys were generated so poorly they could be broken in a matter of hours using known mathematical methods and standard computers to find the large prime numbers at their core. Had the keys been created correctly, breaking them so quickly would have required a large supercomputer or botnet. That even such a small percentage of keys were found to be so easily broken underscores the fragility of cryptographic protections millions of people increasingly rely on to shield their most intimate secrets and business-sensitive secrets.

"The findings are certainly significant for the citizens who have been issued flawed cards, since any attacker could impersonate them online, the research team wrote in an e-mail to Ars. "More broadly, our research should give pause to any of the many countries that are rolling out this kind of national public key infrastructure. These smart cards were certified to respected international standards of security, and errors led to them generating trivially broken cryptographic keys. If a technologically advanced government trying to follow best practices still has problems, who can get this right?"

Stacking the deck

The research is being published two weeks after documents leaked by former National Security Agency (NSA) contractor Edward Snowden outlined the covert hand intelligence agents have played in deliberately weakening international encryption standards. As a result, the NSA and its counterparts in the UK can most likely bypass many of the encryption technologies used on the Internet. Cryptographers involved in, and independent of, the research agreed that the weaknesses exposed in the paper were almost certainly the result of human error, rather than deliberate sabotage. They based that assessment on the observation that the predictable patterns caused by the malfunctioning PRNG were so easy to spot.

"Some of the primes discovered in this work are so obviously non-random that, if they were the result of deliberate weaknesses, then I'd be asking for my money back from my three-letter agency," Kenneth G. Paterson, a Royal Holloway scientist who has seen the paper, told Ars. "Because they would clearly not have been doing a very good job in hiding their footprints."

Still, the fact that Taiwan's extremely weak RNGs passed stringent validation processes is troubling. An RNG that picks prime numbers in predictable ways is in some ways the cryptographic equivalent of a blackjack croupier who arranges a deck of cards so they're dealt in a way that puts the gambler at a disadvantage. Properly implemented RNGs, to extend the metaphor, are akin to a relief dealer who thoroughly shuffles the deck, an act that in theory results in the strong likelihood the cards never have and never again will be arranged in that exact same order.

There's no way to rule out the possibility that the NSA, or intelligence agencies from other nation states, didn't already know about the vulnerability in Taiwan's crypto program or about programs in other countries that may suffer from similar weaknesses. The inability of the certifications to spot the fatally flawed RNGs suggests the standards offer far less protection than many may think against subtle flaws that either were intentionally engineered by intelligence agencies or were exploited after being discovered by them.

The researchers began their project by examining almost 2.2 million of the Taiwanese digital certificates secured with 1024-bit keys (newer cards have 2048-bit RSA keys). By scanning for pairs of distinct numbers that shared a common mathematical divisor, they quickly identified 103 keys that shared prime numbers.

A little more than 100 keys that shared primes out of a pool of 2 million makes for an infinitesimally small minuscule percentage, but in the eye of a trained cryptographer, it flags a fatal error. When generating a 1024-bit RSA key, there are an almost incomprehensible 2502 prime numbers that can be picked to form its mathematical DNA, Mark Burnett, an IT security analyst and author, estimates. That's many orders of magnitude more than the 2266 atoms in the known universe. If all these primes are properly mixed up and evenly distributed in a large digital pot—as is supposed to happen when being processed by a correctly functioning RNG—no two primes should ever be picked twice. By definition a prime is a number greater than one that has no positive divisors other than 1 and itself.

And yet, 103 of the keys flagged by the researchers factored into 119 primes. The anomaly was the first unambiguous sign that something horribly wrong had gone on during the key-generation process for the Taiwanese smartcards. But it wasn't the only indication of severe problems. The researchers sifted through the shared primes and noticed visible patterns of non-randomness that allowed them to factor an additional 81 keys, even though they didn't share primes. Once the primes are discovered, the underlying key is completely compromised. Anyone with knowledge of the primes can impersonate the legitimate card holder by forging the person's digital signature, reading their encrypted messages, and accessing any other privileges and capabilities afforded by the card.