Factoring RSA keys from certified smart cards:
Coppersmith in the wild

Certification

The Renesas HD65145C1 chip is a "High-Security 16-bit Smart Card Microcontroller" including an AE45C1 CPU core. This chip is used in many high-security applications, including banking. This chip received a "Deutsches IT-Sicherheitszertifikat" (German Information Technology Security Certificate) from the Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security), certifying that the chip was conformant with Protection Profile BSI-PP-0002-2001 at Common Criteria assurance level EAL4+, after testing by T-Systems GEI GmbH, a recognised Information Technology Security Evaluation Facility:

• Target of evaluation for version 1 of the chip: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212b_pdf.pdf?__blob=publicationFile (mirror)
• Certificate for version 1 ("the TOE fulfills the claimed strength of function for the ... SF.RNG"): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212a_pdf.pdf?__blob=publicationFile (mirror)
• Target of evaluation for version 2 of the chip: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212b_ma1_pdf.pdf?__blob=publicationFile (mirror)
• Certificate for version 2: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte02/0212b_ma1_pdf.pdf?__blob=publicationFile (mirror)

The Renesas HD65145C1 was used in the Chunghwa Telecom HICOS PKI Smart Card. This card received a FIPS 140-2 Validation Certificate at Level 2 jointly from the National Institute of Standards and Technology of the United States of America and the Communications Security Establishment of the Government of Canada after testing by DOMUS IT Security Laboratory, an accredited Cryptographic Module Testing laboratory:

• Certificate for the card: http://www.cryptsoft.com/fips140/vendors/140crt614.pdf (mirror)

The Ministry of the Interior Certificate Authority (MOICA) of Taiwan began deploying Citizen Digital Certificate smart cards in 2003. There are at least three different generations of MOICA smart cards:

• At first MOICA was using cards from Giesecke and Devrient. MOICA has never issued cards valid for more than eight years, so all of these cards will expire soon if they have not expired already.
• Around 2006–2007 MOICA switched to Chunghwa Telecom, specifically the Chunghwa Telecom HICOS PKI smart card, using 1024-bit RSA keys. These cards are the subject of the SmartFacts research.
• Around 2011 MOICA switched to a newer version of the Chunghwa Telecom HICOS PKI smart card, using 2048-bit RSA keys.

MOICA's FAQ makes several statements regarding security of all of these cards:

• Private keys are "generated within hardware cryptographic modules or software/hardware cryptographic modules within the IC card, meeting requirements of CPS and FIPS 140-1 level 2 certification or comparable security strength IC card."
• Private keys "cannot be escrowed."
• Question: "If an applicant loses his/her/its IC card, and the card is picked up by someone, can the card information be stolen out?" Answer: "The CA keys are created in a cryptographic module, using RSA algorithm and random number generator. Created within a hardware module, the private key is stored inside without leakage. Moreover, certificate subscriber’s IC card is internally generated with FIPS 140-1 level 2 certification of the Card Center. The private key will not export after generation."