- Stay current
- Use robust key lengths
- Manage keys/passwords carefully
- And most importantly, only use FIPS 140-2 validated encryption.
In general, FIPS 140-2 has always been the gold standard of encryption, and trust in FIPS 140-2 has been a cornerstone of being able to trust most security products available today.
However, that trust is now under attack.
The Arstechnica article below provides an alarming report, describing how between 2006 and 2007 the Taiwan government issued at least 10,000 flawed smart cards. These smart cards were designed to be used by Taiwanese citizens for many sensitive transactions, including activities such as submitting tax returns. The cards with the flaw had virtually useless encryption, putting at risk any data "protected" by the cards. The gist of the Arstechnica article is that these failures occurred in spite of the cards being FIPS 140-2 validated, and that the FIPS 140-2 validation process is broken.
But reading the research paper which the Arstechnica article is based on suggests that it's not as simple as that...
Despite being FIPS 140-2 validated, it turns out that the random number generator used by the card (technically, the "Renesas AE45C1 smart card microcontroller" used by the card) "sometimes fails", producing (non)random numbers that can lead to certificates which are easily compromised. This is exactly the type of failure mode that FIPS 140-2 is designed to catch. However, the generator on this card had an optional "health check" which was intended to detect when the random number generator was failing. Not surprisingly, the FIPS 140-2 validation for the card only applies if this health check is enabled. In other words, if the health check is turned off, as it was on the 10,000 or so broken cards, FIPS 140-2 does not apply and you're on your own using these cards.
Here's the way the research report describes the problem (MOICA is the agency which issued the cards):
"Unfortunately, the hardware random-number generator on the AE45C1 smart card microcontroller sometimes fails, as demonstrated by our results. These failures are so extreme that they should have been caught by standard health tests, and in fact the AE45C1 does offer such tests. However, as our results show, those tests were not enabled on some cards. This has now also been confirmed by MOICA. MOICA’s estimate is that about 10000 cards were issued without these tests, and that subsequent cards used a “FIPS mode” (see below) that enabled these tests"
This is pretty standard, if you look at FIPS 140-2 validation reports, or Common Criteria evaluations, you'll always see a very precise description of exactly how the product must be configured in order for the validation to apply. It's common to see that FIPS 140-2 validated software or hardware has a "FIPS mode", which must be enabled for the validation to apply.
Looking at the FIPS 140-2 certificate for at least one version of this chip (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212a_pdf.pdf), the report specifically says "postprocessing should be included in the users embedded software", which I believe is a requirement to include the health check.
Clearly, this was a horrific failure. The Taiwanese government issued a bunch of smart cards which were used to authenticate citizens and protect sensitive data, that were completely broken. Yes, the folks producing the card made a critical mistake. But placing this at the feet of FIPS 140-2 is, IMHO, missing the point.
It would be nice if FIPS 140-2 meant a product was idiot proof, but that's not the way the world works. Encryption is complicated and has to be done correctly or it doesn't work. The whole purpose of the FIPS 140-2 testing regime is to ensure that encryption has been rigorously tested under controlled conditions ... and most importantly, to document those conditions so that we know how to use it in a way that can be trusted. Just because something is FIPS 140-2 validated doesn't mean it's idiot proof or that it can't be configured insecurely.
In any event, in my opinion, despite being very clear about what they did and didn't do when testing this chip - NIST's reputation has been badly tarnished and it will take significant time and effort on their part to undo the damage. I guess even a gold standard can tarnish sometimes ...
Here's the Arstechnica article describing the failure:
http://arstechnica.com/security/2013/09/fatal-crypto-flaw-in-some-government-certified-smartcards-makes-forgery-a-snap/2/
Here's the actual research paper describing the findings:
http://smartfacts.cr.yp.to/smartfacts-20130916.pdf
A very good overview of the problem provided by the researchers:
http://smartfacts.cr.yp.to/index.html
Tin-Foil Hat Addendum
Given the <euphemism>crisis of trust</euphemism> that the NSA, and the US Government, is currently going through - including accusations that the NSA has been surreptitiously weakening encryption products, it's very hard to avoid the theory that the NSA might have had a hand in this failure. That's certainly possible in this case, but there's nothing to suggest that the lab issuing the FIPS 140-2 validation was complicit in this failure.
BTW, given the relationship between Taiwan and Mainland China, I've always assumed that Taiwan is constantly under cyber attack by China. Putting on my second layer of tin-foil headgear, could this be the result of a Chinese effort, not an American one? I'm sure the NSA is very good, but China is certainly no cyber-slouch either, and they might have a better pool of human resources on the ground in Taiwan - which would have simplified introducing this vulnerability into the card.
Finally, removing my tin-foil hats for a second, this could simply be a screw up. Broken products get shipped every day, and encryption errors like this are subtle and hard to notice when present in only a very small percentage of the cards.
