Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan's secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers.
The crippling weaknesses uncovered in the Taiwanese Citizen Digital Certificate program cast doubt that certifications designed to ensure cryptographic protections used by governments and other sensitive organizations can't be circumvented by adversaries, the scientists reported in a research paper scheduled to be presented later this year at the Asiacrypt 2013 conference in Bangalore, India. The flaws may highlight shortcomings in similar cryptographic systems used by other governments around the world since the vulnerable smartcards used in the Taiwanese program passed the FIPS 140-2 Level 2 and the Common Criteria standards. The certifications, managed by the National Institute of Standards and Technology (NIST) and its counterparts all over the world, impose a rigid set of requirements on all cryptographic hardware and software used by a raft of government agencies and contractors.
“Trivially broken keys”
The team of scientists uncovered what their paper called a "fatal flaw" in the hardware random number generator (RNG) used to ensure the numbers that form the raw materials of crypto keys aren't based on discernible patterns. Randomness is a crucial ingredient in ensuring adversaries can't break the cryptographic keys underpinning the smartcards issued to Taiwanese citizens.