ROCA vulnerability
The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of the Coppersmith Attack".[1] The vulnerability has been given the CVE identifier CVE-2017-15361.
The vulnerability arises from a problem with an approach to RSA key generation used in a software library provided by Infineon, and incorporated in many smart cards and Trusted Platform Module (TPM) implementations. The same vulnerability appears in recent Yubikey tokens used to generate PGP keys. All keys generated using the Infineon library are believed to be vulnerable to the ROCA attack.[2] The researcher team that discovered the attack (all with Masaryk University and led by Matus Nemec and Marek Sys)[3] estimate that it affects around one-quarter of all current TPM devices globally.[4] Millions of smartcards are believed to be affected.[1]
The team informed Infineon of the problem in February 2017, but withheld public notice until mid-October, citing responsible disclosure. At that time they announced the attack and provided a tool to test public keys for vulnerability. They published the details of the attack in November.[3]
Technical details
Generating an RSA key involves selecting two large randomly-generated prime numbers, a process that can be time-consuming, particularly on small devices, such as smart cards. In addition to being primes, the numbers should have certain other properties for best security. The vulnerable selection process quickly creates primes of the desired type by only testing for primality numbers of the form:
- k*M + (65537a mod M)
where M is the product of the first n successive primes (2, 3, 5, 7, 11, 13,...), and n is a constant that only depends on the desired key size. The security is based on the secret constants k and a. The ROCA attack exploits this particular format for primes using a variation of the Coppersmith method. In addition, public keys generated this way have a distinctive fingerprint that can be quickly recognized by attempting to compute the discrete logarithm of the public key mod M to base 65537. Computing discrete logarithms in a large group is usually extremely difficult, but quite easy for the product of two prime numbers in this form. The Pohlig–Hellman algorithm is very fast in this case because M is a smooth number. A test site is available on the Internet.[3][5][6][7]
See also
References
- ^ a b Goodin, Dan (2017-10-23). "Crippling crypto weakness opens millions of smartcards to cloning". Ars Technica. Retrieved 2017-10-25.
- ^ Khandelwal, Swati. "Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices". The Hacker News. Retrieved 2017-10-25.
- ^ a b c The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec,Vashek Matyas, November 2017
- ^ Leyden, John (16 October 2017). "Never mind the WPA2 drama... Details emerge of TPM key cockup that hits tonnes of devices". United Kingom: The Register. Retrieved 2017-10-25.
- ^ "ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance". www.ncsc.gov.uk. United Kingdom. Retrieved 2017-10-25.
- ^ "ROCA: Vulnerable RSA generation (CVE-2017-15361)". Czech Republic: Centre for Research on Cryptography and Security, Faculty of Informatics, Masaryk University. Retrieved 2017-10-25.
- ^ "Information on software update of RSA key generation function". Infineon Technologies AG. Retrieved 2017-10-25.
External links
- ROCA detection tool (Detection source code)
- ROCA Vulnerability Test Suite (Online tool for testing keys, files, GitHub accounts, GnuPG keys, and includes an S/MIME and PGP email responder)
- TrustMonitor ROCA Vulnerability Test (Online tool for testing multiple certificates)
- Detect Trusted Platform Modules Vulnerable to CVE-2017-15361 (Scripts)
 | This cryptography-related article is a stub. You can help Wikipedia by expanding it. |