So I was trying to think of a person who might be up to cracking the secret to getting alternative operating systems installed on the CE. I have this friend who loves cryptography and the like, so I gave the challenge to them. They don't have an account here, so I'm posting this for them.

Correct me if I'm wrong, but it is the OS verification key that needs to be cracked to allow for alternative operating systems to be installed, correct? What is the common way of doing this if it were feasible to do? Also, is there any other knowledge that would be required to know how to crack this?

If you defeat this; you defeat pretty much all security known to man.

Can you tell me why? I'm genuinely curious. I know the key is super long (2048 bits iirc from IRC conversations), but can you give me more info?

The calculator is signed using cryptographic methods (SHA256, IIRC). Basically this uses the difficulty in factoring semiprime numbers compared to both generating a semiprime number and verifying that a number is a factor of a semiprime. If you make the prime numbers big enough, it takes a practically infinite amount of time to reverse but only a short amount of time to verify. It's the same method, more or less, that is used to encrypt HTTPS and credit card transactions.

It would be easier to bypass/overwrite the verification stuff so that no check happens in the first place. The only downside is that you have to run a program on the calc before sending the OS, but this is basically a non-issue.

The SHA256 hash of the entire OS is cryptographically signed with a 2048-bit RSA signature. The weakest link in the chain is the SHA256, but you still aren't going to enjoy the on average 2¹²⁸ very slow operations needed to sign each new version (note that the universe is much less than 2⁹⁰ nanoseconds old). Alternatively, you could just exploit some hardware and software security bugs and write the OS to flash yourself, but note that newer boot versions verify the OS every hard reset, so you would also need to figure out how to write to hardware locked flash boot sectors in that case.

If you are just curious about the cryptographic details, SHA256 is a cryptographic hash which means that given an arbitrary amount of data it computes a fixed-size (256 bits in this case) hash for that data in such a way that 1. the hash reveals effectively no information about the data that was hashed and 2. it is infeasible to compute another block of data that hashes to the same value (a hash collision).

The second part is the 2048-bit RSA signature. First, TI uses a cryptographically secure RNG to compute two random probable primes that specifically aren't too close or far from 2¹⁰²⁴. Next, they multiply these two (statistically likely to be) prime numbers to get a very large number around 2048 bits long, let's call this n. This is the number that is stored directly in the calculator's boot code (in a public key) and can be overridden with a key from the certificate. Next, TI chooses a small prime number with a small number of ones in its binary representation, let's call this e, and stores it along with the n (although in reality it is hardcoded into the boot code RSA algorithms). They chose e = 3, which is insecure for an encryption key, but perfectly secure to use in a signing-only key, and makes it easier for the slow ez80 processor to do the necessary computations in a reasonable amount of time. Next, they need to do some real math in order to compute the number d such that ∀x, (x^d)^e≡x (mod n). Since TI generated n by multiplying two primes together, they can use the fact that they know two factors of n in order to efficiently compute d. Lastly, they store all these numbers into a private key that is stored on a computer that is not connected to any networks and protected by physical security.

Now, any time they want to sign a new OS, they start with the SHA256 hash of the new OS, raise it to the power of d (mod n), and store this number at the end of the distributed OS file as a signature. Then, when the OS is transferred to a calculator, the boot code recomputes the SHA256 hash of the OS, then raises the transferred RSA signature to the power of e (mod n) and compares this final number to the SHA256 hash to ensure that the OS has not been tampered with. If this check fails, the boot code marks the OS as invalid and refuses to transfer control to it even in the interrupt handler, and prompts for a real OS to be transferred.

What would this program look like?


Thanks for the extended description jacobly

How would someone go about generating a signature and hash if it were possible?