3DS System Flaws: Difference between revisions
→Hardware: Pohlig-Hellman attack on boot ROM RSA keyslot keys |
Einstein95 (talk | contribs) |
||
Line 91: | Line 91: | ||
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone. This allows retrieving the exponent by doing a discrete logarithm of the output. | However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone. This allows retrieving the exponent by doing a discrete logarithm of the output. | ||
By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [ | By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]]. If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent. | ||
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known. Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM. | This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known. Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM. |