igor - Fotolia

ROCA RSA flaw unveils secret keys on wide range of devices

Researchers disclosed the ROCA RSA vulnerability as a dangerous flaw in the cryptographic code of Infineon chips that could undermine encryption key security for a number of devices.

Researchers uncovered a flaw in RSA encryption implementation that could allow attackers to steal secret keys of vulnerable devices.

A team of researchers from the Masaryk University in Brno, Czech Republic, Enigma Bridge, a cybersecurity governance company based in Cambridge, U.K., and Ca' Foscari University in Venice, Italy, named the flaw they discovered Return of Coppersmith's Attack (ROCA) and said the RSA algorithm vulnerability "was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG." 

The researchers said the ROCA RSA vulnerability (CVE-2017-15361) affects popular devices using Infineon chips "since at least the year 2012."

"The algorithmic vulnerability is characterized by a specific structure of the generated RSA primes, which makes factorization of commonly used key lengths including 1024 and 2048 bits practically possible," the researchers wrote in a post. "Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does not depend on a weak or a faulty random number generator - all RSA keys generated by a vulnerable chip are impacted."

According to the researchers, the cost of exploiting the ROCA RSA vulnerability is dependent on the length of the key with 512 bit RSA keys costing two CPU hours, or six cents, 1024 bit RSA keys needing 97 CPU days at a cost of $40 to $80, and 2048 bit RSA keys being "practically possible" in 140.8 CPU years, but expensive at $20,000 to $40,000. However, a "4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved."

Impact of ROCA RSA vulnerability

The research team released tools to test for devices susceptible to the ROCA RSA vulnerability and, as of this post, experts determined some Trusted Platform Modules or smartcards from vendors such as Google, Hewlett Packard and Lenovo at risk, as well as certain Yubikey devices which may have led to the creation of flawed SSH and GPG keys.

While the risks of the ROCA RSA vulnerability vary and depends on an attacker knowing the victim's public key, the researchers said "the private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks."

Anurag Kahol, CTO at Bitglass, said encryption is "a powerful tool for data protection, [but] only effective if implemented properly."

"In this case, where private keys can be derived from public keys, the implementation was flawed," Kahol told SearchSecurity. "For organizations and governments that choose to encrypt data, key management -- storing keys securely, rotating master keys and aliases to that master key -- can be invaluable in protecting data.”

Major vendors including Microsoft, Google, HP, Lenovo and Fujitsu have released software updates to mitigate the risk of the ROCA RSA vulnerability. Yubico said the flaw affected about 2% of customers who use "the PIV smart card and OpenPGP functionality of the YubiKey 4 platform" and posted mitigation techniques for users with Yubikey 4 versions 4.2.6 to 4.3.4.

Jesse Victors, security consultant for Synopsys, said the ROCA RSA vulnerability is more proof that crypto is fragile.

"RSA turned 40 years old this year and we still seem to struggle with using and implementing it correctly. The RSA algorithm described in 1977 is fast but unsafe and must be implemented carefully to avoid several padding oracle attacks and information leaks," Victors wrote in a blog post. "Numerous schemes have been introduced to address the flaws, which I consider this to be a flaw with RSA's design and the complexity of standards. However, RSA was there first, and it's one of our best public key encryption schemes, so it isn't going away any time soon."

Next Steps

Learn how SSH key management and security can be improved.


Find out how Yubico is bringing FIDO authentication to the masses.


How can PGP short key IDs be protected from collision attacks?

Dig Deeper on Data security and privacy