Flaw in digital ID cards resolved long ago: ministry
CNATAIPEI -- Digital ID cards found to have flawed encryption systems were replaced as soon as the problem was identified, the Ministry of Interior (MOI) said Thursday in response to a report earlier in the week that security flaws threatened Taiwanese citizens' personal data.
September 20, 2013, 12:21 am TWN
The 163 flawed encryption keys in Citizen Digital Certificates, an authentication card for online tax payments and other services, were discovered by an MOI backed research team last year, the ministry said.
The easily cracked keys been issued before 2011, when the certificates' encryption standards were upgraded from 1024 bits to 2048 bits, the MOI said.
They were swapped for higher security variants in July of last year, according to the ministry.
A flawed random number generating process should have made sure that crypto keys for Taiwan's 2.2 million Citizen Digital Certificates had no discernable patterns that would leave them vulnerable to attack, but ended up creating the 163 problematic keys, as well, it said.
U.S. technology news site Ars Technica reported on the problem Monday (local time), citing a team of researchers who discovered they could crack the keys with startling ease.
The research team, composed of members in Taiwan, the U.S. and the Netherlands, found a total 184 “fatally flawed” cryptographic keys, slightly different from the number found by the MOI.
They informed Taiwan of their early findings last year, prompting the MOI to confirm the number of the affected keys, according to researchers.
Ars Technica's report notes that while fewer than 200 flawed keys out of 2.2 million may seem like a small number, it's indicative of a “significant” flaw in Taiwan's “technologically advanced government (which tries to) follow the best practices,” in the words of the researchers.
The research team will present their findings later this year at Asiacrypt 2013 in Bangalore, India.