Interior ministry says flawed digital ID cards replaced

Staff writer, with CNA

Fri, Sep 20, 2013 - Page 3

In response to a report on Monday that security flaws threatened the personal data of Taiwanese, the Ministry of the Interior yesterday said that digital ID cards found to have flawed encryption systems were replaced as soon as the problem was identified.

The 163 flawed encryption keys in Citizen Digital Certificates, an authentication card for online tax payments and other services, were discovered by a ministry-backed research team last year, the ministry said.

The easily cracked keys had been issued before 2011, when the certificates’ encryption standards were upgraded from 1,024 bits to 2,048 bits, the ministry said.

They were swapped for higher-security variants in July last year, the ministry said.

A random number generating process should have made sure that Taiwan’s 2.2 million Citizen Digital Certificates cryptographic keys had no discernible patterns which could leave them vulnerable to attack, but ended up creating the 163 problematic keys, it said.

US technology news site Ars Technica reported on the problem on Monday, citing a team of researchers who found they could crack the keys with ease.

The researchers, from Taiwan, the US and the Netherlands, found 184 “fatally flawed” cryptographic keys. They informed Taiwan of their early findings last year, prompting the ministry to confirm the number of the affected keys, the researchers said.

Ars Technica’s report said that while fewer than 200 flawed keys out of 2.2 million may seem like a small number, it shows a “signficant” flaw in Taiwan’s “technologically advanced government [which tries to] follow the best practices.”

The research team will present their findings later this year at the Annual International Conference on the Theory and Application of Cryptology and Information Security in Bangalore, India.