ROCA vulnerability

ROCA vulnerability
Type	software
CVE number (s)	CVE-2017-15361
Date of discovery	February 2017
Release Date	15th October 2017
Manufacturer	Infineon
Products)	RSALib software library and all products based on it, such as smart cards and trusted platform modules

The ROCA vulnerability is a cryptographic security hole in the generation of key pairs in the asymmetric RSA cryptosystem , which makes it possible to generate the data of the private key from the data of the public key more easily and with less effort. The abbreviation ROCA stands for English Return Of Coppersmith's attack and the vulnerability has been under CVE-2017-15361 at MITER recorded (English).

The vulnerability does not affect the RSA cryptosystem in principle, but only certain implementations and devices that are based on the RSALib software library from Infineon , such as smart cards and Trusted Platform Modules (TPM) and products based on them, such as the YubiKey 4. Effects when these devices are used to generate RSA key pairs in the context of hybrid encryption software such as Pretty Good Privacy (PGP), S / MIME or GNU Privacy Guard (GnuPG).

The research team led by Matus Nemec et al., Who discovered the vulnerability in February 2017, estimate that as of the beginning of 2018, around 25% of all TP modules currently in use and several million smart cards with PGP functionality are affected.

background

When generating an RSA key pair for the secret private and public key, two large and randomly generated prime numbers are generally selected. This process is very time-consuming, especially on smaller, mobile devices such as smart cards or security tokens, which is why various optimizations are used in implementations. In the event of a faulty implementation in the RSALib from Infineon, the selection and testing of prime numbers is carried out using an optimized procedure according to:

{\ displaystyle k \ cdot M + (65537 ^ {a} {\ bmod {M}})}

Here M is the product of the first n consecutive prime numbers (2, 3, 5, 7, 11, 13, ...). n is a constant that depends on the desired key length, and the primary security is based on the secret constants k and a . The ROCA attack uses this specially optimized selection process for prime numbers by using a variation of the eponymous Coppersmith attack. Certain key lengths that represent a power of two, such as RSA keys 2048 bits or 4096 bits long, are more attenuated than shorter key lengths that are not a power of two. For example, the key length of 3072 bits for this error is more secure than a 4096-bit RSA key.

The RSA key pairs generated with RSALib also have an unmistakable recognition due to the type of faulty generation, which on the one hand allows targeted publicly accessible RSA keys to be found for attacks, on the other hand the ROCA vulnerability of key pairs can be tested retrospectively , and affected users can be prompted to regenerate their key data.

If RSA key pairs were generated with other implementations, such as OpenSSL , there is no ROCA vulnerability.

Individual evidence

↑ Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices. Retrieved October 11, 2018 .
↑ ^a ^b Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas: The Return of Coppersmith's Aack: Practical Factorization of Widely Used RSA Moduli. 2017, accessed October 11, 2018 .
↑ ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance. October 2017, accessed October 11, 2018 .

[hack1-1] Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices. Retrieved October 11, 2018 .

[nemec1-2] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas: The Return of Coppersmith's Aack: Practical Factorization of Widely Used RSA Moduli. 2017, accessed October 11, 2018 .

[ncsc-3] ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance. October 2017, accessed October 11, 2018 .