Changes

20 bytes removed ,  07:15, 11 January 2017
m
Line 91: Line 91:  
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone.  This allows retrieving the exponent by doing a discrete logarithm of the output.
 
However, when setting a keyslot's modulus, the RSA hardware leaves the exponent alone.  This allows retrieving the exponent by doing a discrete logarithm of the output.
   −
By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [//en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm Pohlig-Hellman algorithm].  If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent.
+
By setting the modulus to a prime number whose modular multiplicative order is "smooth" (that is, p-1 is divisible by only small prime numbers), discrete logarithms can be calculated quickly using the [[wikipedia:Pohlig-Hellman algorithm|Pohlig-Hellman algorithm]].  If the prime chosen is greater than the modulus, but the same bit size, the discrete logarithm is the private exponent.
    
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known.  Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM.
 
This exploit's usefulness is limited: these four keyslots' values are only used in current firmware for deriving the 6.x save and 7.x NCCH keys, which were already known.  Additionally, with a boot ROM dump, this exploit is moot; these private keys are located in the protected ARM9 boot ROM.
77

edits