ROCA: Vulnerable RSA generation (CVE-2017-15361)
The Krack Wi-Fi vulnerability has received a great deal of press coverage; however a potentially more dangerous security flaw was also publicly disclosed earlier this week.
The security of most of the Internet and identity authentication systems are mostly based on the RSA cryptosystem. RSA asymmetric key cryptography relies upon the inherent difficulty of factoring the product of two very large prime numbers, which makes up the public key.
A flaw was discovered in a crypto library on Infineon chipsets that causes weak generation of RSA public keys. Since 2012, many of the supposedly impractical to factor public keys being generated by Infineon embedded crypto chips can be practically factored.
The worst cases for the factorization of 1024-bit and 2048-bit keys are less than 3 CPU-months for 1024-bit and 100 CPU-years for 2048-bit on a single core of a common CPU, while the expected time is half of that of the worst case. This does not take into account of hardware acceleration such as Graphical Processing Units (GPUs) or Application Specific Integrated Circuits (ASICs), which would significantly reduce the time needed to compute.
The factorization can be performed in parallel, on multiple CPUs allowing for practical factorization in hours or days. The worst-case price of the factorization on an Amazon AWS c4 computation instance is $76 for the 1024-bit key and about $40,000 for the 2048-bit key. But only half that will be typical.
Infineon chipsets are used in the Trusted Platform Module (TPM) 1.2 standard, commonly used for BitLocker whole-disk encryption. Put differently, if a competitor or state actor stole a BitLocker-encrypted disk, it could potentially only cost $20,000 to decrypt.
A properly generated 2048-bit RSA public key should require several quadrillion years, hundreds of thousands of times the age of the universe, to be factored with a general-purpose computer.
Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation.