Andrew Mayo, senior system architect at 1E, wrote this intriguing article about ROCA vulnerability and how it raises some important issues about the design of secure cryptographic software. The vulnerability is not in this case an obvious coding error such as a buffer overflow, or the use of a poor quality random number generator.
In this case, vulnerability arose from what probably seemed like a reasonable software engineering decision. In summary, the researchers studied the statistical properties of a large sample of public keys. These are not normally easy to obtain, but the Estonian government had set up a public directory, associated with their national ID card. Since, by definition, these are public keys that’s a perfectly reasonable thing to do.
In theory, it’s almost impossible to derive the private key from the public key unless enormous amounts of computer time are expended.
Researchers analyzed the statistical properties of these public keys. They found that the keys were not truly random, as they should be. This meant that it was possible to derive the private key from the public key in days, rather than the expected thousands of years.
Article then explains and points to further resources to help with explanation how RSA algorithm requires that the prime numbers (which can contain thousands of digits) have certain additional properties and how keys are generated using rusted Platform Modules (TPMs). A TPM is a hardware device used to generate and manage keys securely. Good read!