3DS System Flaws: Difference between revisions
→Hardware: Pohlig-Hellman attack on boot ROM RSA keyslot keys |
|||
| Line 85: | Line 85: | ||
| | | | ||
| Everyone | | Everyone | ||
|- | |||
| RSA keyslots don't clear exponent when setting modulus | |||
| The [[RSA_Registers|RSA keyslots]] are set by boot ROM to have four private RSA keys. The exponent value in the RSA registers is write-only and not readable. | |||
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone. This allows retrieving the exponent by doing a discrete logarithm of the output. | |||
By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [//en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm Pohlig-Hellman algorithm]. If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent. | |||
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known. Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM. | |||
| None | |||
| New3DS | |||
| March 2016 | |||
| [[User:Myria|Myria]] | |||
|} | |} | ||