77
edits
Changes
Jump to navigation
Jump to search
m
→Hardware
Line 91:
Line 91:
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone. This allows retrieving the exponent by doing a discrete logarithm of the output.
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone. This allows retrieving the exponent by doing a discrete logarithm of the output.
−By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [//en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm Pohlig-Hellman algorithm]. If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent.
+By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]]. If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent.
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known. Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM.
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known. Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM.