ROCA – Critical vulnerability in Infineon security chips

print
Looking back, we can find many examples of errors in the algorithms used to create encryption keys. Not very many of them, however, were found in chips designed and sold as high-security devices for email signing, verifying software integrity, VPN access, or citizen e-ID cards.

Security depends on the last tiny detail.

Masaryk University (Brno, Czech Republic) has discovered a vulnerability in Infineon security chips back at the beginning of the year. Today marks the first public release, which covers the potential impact of the ROCA (Return of Coppersmith’s Attack) vulnerability.

As two of the people involved were also affiliated with Enigma Bridge, we decided to get involved and help with this initial publication. Let me start with a list of primary information sources, which were due to be released on 16th October, at noon UK time:

What happened up till now

First notifications to the manufacturer, Infineon, was sent out back in February and it has been a long time since, when the team provided an expert support to a number of customer companies using the impacted chips. They dedicated a lot of time and effort into providing an additional support, all free of charge.

The press release, technical descriptions, and tools published today is the first set of public information being released. In other words, Infineon was given nine months to help their customers mitigate the impact of the vulnerability.

I also want to stress that the team has put in place rigorous rules for responsible disclosure and today is the end of the agreed non-disclosure period, which has been extended to an unusually long time of nine months due to the nature and seriousness of the vulnerability.

The purpose of this release is to make end users and companies aware of the issue and help them assess a potential impact of the Return of Coppersmith Attack (ROCA) vulnerability on their systems and applications. It is also an additional early warning that the publication of technical details is imminent and security patches and upgrades should be completed without delay.

What is responsible disclosure

The responsible disclosure framework is a multi-stage process to prevent third parties gaining security, financial, or other advantage over users of products vulnerable to (cyber) attacks. These best practices have been established to protect users by ensuring that security vulnerabilities are corrected in a timely and orderly fashion and they are widely accepted by the IT industry, and government bodies (CERT, CSIRT, OWASP, NIST, etc.). Publishing vulnerabilities helps identify their causes and improves the overall security of technology users.

The ROCA vulnerability allows computation of RSA private key from its public component with low to medium budget and computation times from minutes to days. The vulnerability has been verified for RSA keys of up to 2,048 bits. A successful computation of a private key allows, depending on its use, decrypt sensitive data (from file encryption to HTTPS), forging digital signatures (email security, qualified signatures), impersonation (access control to IT systems or buildings), or personal identity theft (e-ID cards).

As this is a serious problem for a range of products used primarily for ensuring the security on the internet, the rigor of the disclosure process and secrecy surrounding it were exceptional by any comparison. The impact of the vulnerability extends far beyond the internet and may touch some e-government schemes, citizen ID cards, EU qualified signatures, and other use cases unrelated to computers as such.

What is ROCA

The official disclosure process concludes with the publication of technical details of the ROCA vulnerability at the ACM CCS 2017, a computer security conference, on 2nd November 2017 in Dallas, USA under the title: The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.

This additional (and unusual) step gives companies and users an extra time to understand their exposure, consider their risk, and decide what steps to take.

While there are now tools available for detecting insecure RSA keys, no further information about the vulnerability will be published before the ACM CCS conference.

What we believe remains secure

Some large deployments of these security chips are NOT impacted. There are two general cases, which limit the vulnerability impact:

  1. where RSA keys are generated outside the security chips, e.g., EMV (chip & PIN and chip & signature) banking cards, or passports should not be affected;
  2. where design of products avoided using the vulnerable function of the chips – we believe that, e.g., Gemalto has in many cases replaced the default library with its own.

Let me mention TPM

At first, I didn’t quite appreciate the seriousness of the vulnerability on TPM modules. These are small security chips in computers, which facilitate security. They can also be used to store keys for disk encryption. What I wasn’t quite aware of was that they were also used to secure access to some cloud platforms.

These two particular uses may need a particular care. The disk encryption may require not only a generation of new keys, but also re-encryption of whole disks in laptops or PCs. The cloud access security may require well-managed security update of all relevant computers to prevent attacks as a single vulnerable laptop may become an unauthorized backdoor.

Why I picked TPMs in particular? The reason is the sheer volume as 25-30% of all TPM chips globally are likely to contain the vulnerability.

Assessment, remediation

If you suspect you or your organization’s security may be at risk, we have implemented an online tool for RSA public keys, which will help you assess your exposure to the vulnerability, It is available on these web addresses:

Please contact manufacturers of products you suspect may be affected, or check their latest bug and press releases, and product updates for more information.

A list of possible mitigation, risk management actions includes:

  • replacement of security chips / products with these chips with secure ones;
  • change the source of RSA keys to a secure key generator;
  • replace RSA algorithm with an elliptic curve encryption (ECC);
  • shorten the lifetime of RSA keys;
  • limit access to repositories with public keys; or
  • separate data-at-rest and data-in-transit encryption.

 


Try the Professional HTTPS/TLS monitoring service KeyChest.net to keep on top of your certificates with its certificate auto-discovery. The public cloud service is free and allows you monitor thousands of certificates within minutes (YouTube video – 49 seconds).

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.