A crippling flaw affecting millions—and possibly hundreds of millions—of encryption keys used in some of the highest-stakes security settings is considerably easier to exploit than originally reported, cryptographers declared over the weekend. The assessment came as Estonia abruptly suspended 760,000 national ID cards used for voting, filing taxes, and encrypting sensitive documents.
The critical weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. When researchers first disclosed the flaw three weeks ago, they estimated it would cost an attacker renting time on a commercial cloud service an average of $38 and 25 minutes to break a vulnerable 1024-bit key and $20,000 and nine days for a 2048-bit key.
Organizations known to use keys vulnerable to ROCA—named for the Return of the Coppersmith Attack the factorization method is based on—have largely downplayed the severity of the weakness. Estonian officials initially said the attack was “complicated and not cheap” and went on to say: “Large-scale vote fraud is not conceivable due to the considerable cost and computing power necessary of generating a private key.” Netherlands-based smartcard maker Gemalto, meanwhile, has said only that its IDPrime.NET—a card it has sold for more than a decade as, among other things, a way to provide two-factor authentication to employees of Microsoft and other companies—”may be affected” without providing any public guidance to customers.