The ROCA disclosure landed alongside KRACK this week — Return of Coppersmith's Attack (Nemec et al, ROCA paper at CCS 2017, Masaryk University CRoCS group page). The Masaryk University CRoCS group, working with researchers from Enigma Bridge and Ca' Foscari, demonstrate that RSA keys generated by Infineon's RSA library — used in a substantial population of Trusted Platform Modules, smartcards, and national identity card systems — have a structural property that makes them factorable in a fraction of the time a properly-generated RSA key of the same modulus size would require.
The technical detail is, for those who have followed RSA implementation history, an instructive case. Infineon's library generates RSA primes by selecting candidate primes from a structured search space designed to make primality testing computationally cheap on the constrained hardware of smartcards and TPMs. The structure of the search space is the weakness. Coppersmith's attack — a classical method from the late 1990s for factoring RSA moduli with partial information about the prime structure — applies in a strengthened form against Infineon-generated keys, with the practical consequence that 1024-bit keys can be factored in about 100 CPU days, 2048-bit keys in around 17 years (which is impractical now but tractable for a state-level adversary with access to large-scale compute), and 4096-bit keys remain beyond practical reach. The actual attack timeline depends on the cost the attacker is willing to pay; the paper provides specific cost-estimates against various AWS pricing.
The deployment population is the operational story. Infineon TPM chips are present in a substantial fraction of business-class laptops shipped over the past several years, used to seal disk-encryption keys (BitLocker), to authenticate to corporate VPNs, and to sign code in some development pipelines. Estonian national identity cards — which are the canonical worked example of a digital-identity programme — use Infineon chips and are affected at the population level. Slovak national IDs are affected. Spanish IDs are affected. Several large hardware-security-module deployments are affected. Estimates of the total affected key population run from hundreds of millions to over a billion.
For the operational response, the first step is identification. Tooling for testing whether a given RSA public key is "ROCA-vulnerable" is publicly available — the Masaryk team have published an online checker and a command-line tool (keychest.net/roca). The customer-organisation work this week is to enumerate every RSA public key in customer estates that has been generated by an Infineon-shipping device — hardware tokens, TPMs, smartcards, certain HSMs — and test it. Affected keys must be regenerated using software that does not have the Infineon flaw; the underlying TPM or smartcard, in some cases, can be reflashed with a firmware update that fixes the key-generation routine, in other cases the device must be replaced. The customer-side effort to re-issue affected smartcards and re-generate affected TPM keys is substantial but manageable on a multi-month schedule.
Estonia is the case worth thinking about in detail because the population scale and the integration into national infrastructure is unique. The Estonian government's response — to suspend approximately 760,000 affected ID cards and migrate the population to refreshed cards over a several-month period — is the right operational response, and the political handling of it has been, on the public reporting, exemplary (RIA / e-Estonia announcement page). The cost is substantial, and the trust impact on the e-residency programme is non-trivial in the short term, but the long-term posture is preserved by the substantive response. Smaller countries with similar deployments are working through their own cadences; the operational picture across affected national programmes will be a story for the rest of 2017 and into 2018.
The supply-chain dimension is the one I keep returning to. Infineon's RSA library is, at base, a piece of cryptographic code from a single vendor that was incorporated into millions of devices by hundreds of integrators over more than a decade. The code's flaw was not detected by Infineon's internal review, by the integrators' security audits, by the certification processes (Common Criteria, FIPS 140-2) that several of the affected products were certified under, by the academic cryptographic community's prior analysis of Infineon outputs, or by any operational telemetry. It was found by a research group with the time and the cryptographic expertise to look properly. The inference — which I am writing into the next round of customer briefings — is that supply-chain trust in cryptographic primitives, even from major vendors, even with formal certification, requires continuous independent scrutiny rather than one-time evaluation. The investment in research groups capable of doing that scrutiny is part of the security economy that does not, currently, have stable funding, and the structural argument for changing that is reinforced by ROCA.
For our customer estates, the action this week is the inventory. Browne Jacobson's hardware-token estate is small and is being audited; preliminary indication is that the affected token models are present in the senior-partner population. Towry's HSM estate is on equipment that does not include the affected library and is clean. Northcott's smartcard deployment is on a non-Infineon chip and is clean. The manufacturer has substantial deployment of business-class laptops with TPMs, and the affected population there will be in the hundreds — the audit and remediation programme will run through Q1 2018. The new financial-services client uses HSMs from a vendor that has confirmed the Infineon library is not in scope for their products; clean.
The longer-form essay file gains another entry. Cryptographic supply-chain integrity, to be written properly in 2018.