ROCA vulnerability

Last updated
ROCA vulnerability
CVE identifier(s) CVE- 2017-15361
Date discoveredFebruary 2017;5 years ago (February 2017)
DiscovererMatúš Nemec, Marek Sýs, et al. (Masaryk University)
Affected hardware TPM, Yubikey, Gemalto IDPrime .NET smart cards
Affected softwareAny public-private key encryption that used RSALib including BitLocker and PGP

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". [1] The vulnerability has been given the identifier CVE - 2017-15361.

Contents

The vulnerability arises from a problem with an approach to RSA key generation used in vulnerable versions of a software library, RSALib, provided by Infineon Technologies, and incorporated into many smart cards, Trusted Platform Module (TPM), and Hardware Security Modules (HSM) implementations, including YubiKey 4 tokens, often used to generate PGP keys. Keys of lengths 512, 1024, and 2048 bits generated using these versions of the Infineon library are vulnerable to a practical ROCA attack. [2] [3] The research team that discovered the attack (all with Masaryk University and led by Matúš Nemec and Marek Sýs) [2] estimate that it affected around one-quarter of all current TPM devices globally. [4] Millions of smart cards are believed to be affected. [1]

The team informed Infineon of the RSALib problem in February 2017, but withheld public notice until mid-October, citing responsible disclosure. At that time they announced the attack and provided a tool to test public keys for vulnerability. They published the details of the attack in November. [2]

Technical details

Generating an RSA key involves selecting two large randomly-generated prime numbers, a process that can be time-consuming, particularly on small devices, such as smart cards. In addition to being primes, the numbers should have certain other properties for best security. The vulnerable RSALib selection process quickly creates primes of the desired type by only testing for primality numbers of the form:

where is the product of the first n successive primes (2, 3, 5, 7, 11, 13,...), and n is a constant that only depends on the desired key size. The security is based on the secret constants and . The ROCA attack exploits this particular format for primes using a variation of the Coppersmith method. In addition, public keys generated this way have a distinctive fingerprint that can be quickly recognized by attempting to compute the discrete logarithm of the public key mod to base 65537. Computing discrete logarithms in a large group is usually extremely difficult, but in this case it can be done efficiently using the Pohlig–Hellman algorithm because is a smooth number. A test site is available on the Internet. [2] [5] [6] [7] In short, keys that fit this format have significantly low entropy and can be attacked relatively efficiently (weeks to months), and the format can be confirmed ("fingerprinted") by the attacker very quickly (microseconds). Multiple implementations of the attack are publicly available. [8] [9] [10]

Mitigation

The ROCA authors consider public keys of length 512, 1024 and 2048-bits generated by RSALib to be vulnerable. Because the details of key generation differ for different key lengths, shorter keys are not necessarily more vulnerable than longer keys. For example, a 1952-bit RSAlib key is stronger than a 2048-bit key and a 4096-bit key is weaker than a 3072-bit key.

The best mitigation, according to the authors, is to generate RSA keys using a stronger method, such as by OpenSSL. If that is not possible, the ROCA authors suggest using key lengths that are less susceptible to ROCA such as 3936-bit, 3072-bit or, if there is a 2048-bit key size maximum, 1952-bits. [2] :Sec 5.1

Infineon has released firmware updates for its Trusted Platform Modules to manufacturers who have used its TPMs. [11]

Implications

The vulnerability highlighted several shortcomings of the Common Criteria certification scheme as the vulnerability was present in a list of Common Criteria certified smart card products. Namely, the approval of homegrown cryptographic algorithms; the lack of transparency in certification reports, inability to revoke Common Criteria certificates for known vulnerable products and distribute this information to the users of the certified products. [12] :Sec 6.7.5

In Estonia, the discovery of the vulnerability resulted in a state-level cyber crisis as the vulnerable smart card chip was deployed on more than 750,000 Estonian identity cards that are used daily by Estonian residents and e-residents to securely authenticate online and create digital signatures. [12] :Sec 6.7

See also

Related Research Articles

In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

<span class="mw-page-title-main">Encryption</span> Process of converting plaintext to ciphertext

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at GCHQ by the English mathematician Clifford Cocks. That system was declassified in 1997.

In cryptography, Triple DES, officially the Triple Data Encryption Algorithm, is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. A CVE released in 2016, CVE-2016-2183 disclosed a major security vulnerability in DES and 3DES encryption algorithms. This CVE, combined with the inadequate key size of DES and 3DES, NIST has deprecated DES and 3DES for new applications in 2017, and for all applications by the end of 2023. It has been replaced with the more secure, more robust AES.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key’s security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

<span class="mw-page-title-main">Secure cryptoprocessor</span> Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

<span class="mw-page-title-main">BitLocker</span> Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

In cryptographic protocols, a key encapsulation mechanism (KEM) is used to secure symmetric key material for transmission using asymmetric (public-key) algorithms. It is commonly used in hybrid cryptosystems. In practice, public key systems are clumsy to use in transmitting long messages. Instead they are often used to exchange symmetric keys, which are relatively short. The symmetric key is then used to encrypt the longer message. The traditional approach to sending a symmetric key with public key systems is to first generate a random symmetric key and then encrypt it using the chosen public key algorithm. The recipient then decrypts the public key message to recover the symmetric key. As the symmetric key is generally short, padding is required for full security and proofs of security for padding schemes are often less than complete. KEMs simplify the process by generating a random element in the finite group underlying the public key system and deriving the symmetric key by hashing that element, eliminating the need for padding.

Direct Anonymous Attestation (DAA) is a cryptographic primitive which enables remote authentication of a trusted computer whilst preserving privacy of the platform's user. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification to address privacy concerns. ISO/IEC 20008 specifies DAA, as well, and Intel's Enhanced Privacy ID (EPID) 2.0 implementation for microprocessors is available for licensing RAND-Z along with an open source SDK.

In cryptography, post-quantum cryptography refers to cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm.

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device supporting MFA

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048-bits for shared prime systems.

In cryptography, electromagnetic attacks are side-channel attacks performed by measuring the electromagnetic radiation emitted from a device and performing signal analysis on it. These attacks are a more specific type of what is sometimes referred to as Van Eck phreaking, with the intention to capture encryption keys. Electromagnetic attacks are typically non-invasive and passive, meaning that these attacks are able to be performed by observing the normal functioning of the target device without causing physical damage. However, an attacker may get a better signal with less noise by depackaging the chip and collecting the signal closer to the source. These attacks are successful against cryptographic implementations that perform different operations based on the data currently being processed, such as the square-and-multiply implementation of RSA. Different operations emit different amounts of radiation and an electromagnetic trace of encryption may show the exact operations being performed, allowing an attacker to retrieve full or partial private keys.

References

  1. 1 2 Goodin, Dan (2017-10-23). "Crippling crypto weakness opens millions of smartcards to cloning". Ars Technica. Retrieved 2017-10-25.
  2. 1 2 3 4 5 Nemec, Matus; Sys, Marek; Svenda, Petr; Klinec, Dusan; Matyas, Vashek (November 2017). "The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli" (PDF). Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS '17. doi:10.1145/3133956.3133969.
  3. Khandelwal, Swati. "Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices". The Hacker News. Retrieved 2017-10-25.
  4. Leyden, John (16 October 2017). "Never mind the WPA2 drama... Details emerge of TPM key cockup that hits tonnes of devices". United Kingdom: The Register. Retrieved 2017-10-25.
  5. "ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance". www.ncsc.gov.uk. United Kingdom. Retrieved 2017-10-25.
  6. "ROCA: Vulnerable RSA generation (CVE-2017-15361)". Czech Republic: Centre for Research on Cryptography and Security, Faculty of Informatics, Masaryk University . Retrieved 2017-10-25.
  7. "Information on software update of RSA key generation function". Infineon Technologies AG. Retrieved 2017-10-25.
  8. Bruno Produit (2019-05-15). "Implementation of the ROCA attack (CVE-2017-15361)". GitHub . Retrieved 2020-06-29.
  9. Florian Picca (2020-05-03). "ROCA". GitHub . Retrieved 2020-06-29.
  10. Shiho Midorikawa (2020-04-13). "ROCA". GitHub . Retrieved 2020-06-29.
  11. ""TPM Update - Infineon Technologies"" . Retrieved March 19, 2021.
  12. 1 2 Parsovs, Arnis (March 2021). Estonian Electronic Identity Card and its Security Challenges (PhD). University of Tartu.