A Vulnerability in an Implementation of RSA Key Generation Could Allow for Private Encryption Key Disclosure

ITS Advisory Number: 
2017-103
Date(s) Issued: 
Tuesday, October 17, 2017
Subject: 
A Vulnerability in an Implementation of RSA Key Generation Could Allow for Private Encryption Key Disclosure
Overview: 

A vulnerability, dubbed ROCA, was identified in an implementation of RSA key generation due to a fault in a code library developed by Infineon Technologies. The affected encryption keys are used to secure many forms of technology, such as hardware chips, authentication tokens, software packages, electronic documents, TLS/HTTPS keys, and PGP. Infineon Technologies' smartcards, security tokens, and secure hardware chips produced since 2012 use the affected code library. Successful exploitation of this vulnerability results in an attacker being able to derive a private key from the public key, using prime factorization, within a practical time frame.

This vulnerability does not affect the RSA encryption algorithm itself, and only affects the implementation of the RSA encryption by Infineon Technologies.

Systems Affected: 

This vulnerability affects any products using the affected code library "RSA Library version v1.02.013" developed by Infineon Technologies. Keys generated with smartcards or embedded devices using the Infineon library are vulnerable, as well as devices certified by NIST FIPS 140-2 and CC EAL 5+. Additionally, many laptops and mobile devices use Trusted Platform Module (TPM) hardware chips with the affected encryption key code library.

Google, Microsoft, HP, Lenovo, and Fujitsu have patched their respective software.

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability, dubbed ROCA, was identified in an implementation of RSA key generation due to a fault in a code library developed by Infineon Technologies. Infineon Technologies' smartcards, security tokens, and secure hardware chips produced since 2012 are vulnerable to private encryption key disclosure because of a faulty code library. Specifically, the algorithm used to generate prime numbers for the RSA encryption implementation do not use true random numbers, allowing for the private keys corresponding to the freely availably public keys to be determined via prime factorization within a practical amount of time. This vulnerability is currently known to primarily affect keys up to 2048-bits long, as longer keys cannot be derived in a practical amount of time. (CVE-2017-15361)

According to the Centre for Research on Cryptography and Security (CRoCS), a practical amount of time to factorize an encryption key is less than 1000 CPU years, which can be distributed among multiple threads to decease that time. In the most severe case, the CPU years to decrypt a 2048-bit key, vulnerable to this attack, is about 141 years divided by the number of threads available for processing. With the availability of cloud resources an attacker can decrease the time to break a 2048-bit key to a matter of months. A shorter key length, such as a 512-bit key, only requires 2 CPU hours to calculate.

CRoCS provides a more detailed description of this attack, please see references for the link.

Successful exploitation of this vulnerability results in an attacker being able to derive a private key from the public key, using prime factorization, within a practical time frame.

Actions: 
  • A tool is available to test if a public key is affected by the ROCA vulnerability. This tool is available in the references section below from KeyChest.
  • After appropriate testing, apply updates if available provided by affected vendors as soon as possible after appropriate testing.
  • Import keys from another cryptographic system to the affected devices.
  • If a sensitive device cannot be patched, consider replacing the device.
  • Increasing key lengths above 2048-bits may be an effective mitigation, as the CPU hours required to derive the keys are not practical in most instances. When implementing this mitigation it is important to note that the time to derive the longer keys may become practical if the attack evolves or as processor speed increases.