Meet ROCA, the Exploit Worse Than KRACK That Puts Millions of High-Security Crypto Keys at Risk
KRACK, the famous WiFi exploit, appears to be taking over your Monday? Wait for an even worse security flaw. A crippling vulnerability has put the security of millions of encryption keys at risk, with some of those being used in national identity cards, software signing, and trusted platform modules protecting government and enterprise computers. In yet another wild Monday, researchers have revealed a fatal weakness in a widely used cryptography code library found in chips made by a German company but used by several tech giants, including Google and Microsoft.
Dubbed as ROCA (Return of Coppersmith's Attack), the vulnerability has been discovered in the generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips. The exploit enables a "practical factorization attack, in which the attacker computes the private part of an RSA key," the researchers wrote. More importantly, the attack works for all commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012.
ROCA: Public key to calculate private key
The 5-year-old weakness essentially enables attackers to calculate the private portion of the key using nothing but the public part. "In public key cryptography, a fundamental property is that public keys really are public - you can give them to anyone without any impact in security," Graham Steel, CEO of encryption consultancy firm Cryptosense, said. "In this work, that property is completely broken."
The exploit essentially undermines the security of encryption keys as you can't prove if a document signed by someone's private key was indeed signed by them. Or if the recipient is the only one reading the data sent using their public key. "You could now go to court and deny that it was you that signed something," Steel added. "There would be no way to prove it, because theoretically, anyone could have worked out your private key."
Since hackers are able to work out the private portion of the key, they can impersonate users, decrypt sensitive data, inject malicious code into files, and forge signatures for software and hardware signing.
How ROCA works
The code library (RSA Library version v1.02.013) was developed by German chipmaker Infineon Technologies AG and has been used to generate keys since 2012. Security researchers from the Centre for Research on Cryptography and Security, Masaryk University, Enigma Bridge and Ca' Foscari University have demonstrated how Infineon made it possible for attackers to calculate private keys based on public numbers.
Typically, two large prime numbers are multiplied together to get private and public keys. While the public key is shared, it cannot be used to derive private key since it is very difficult to factor a large sum to reveal the crucial primes that make up a private key. But, if someone manages to get both the original prime numbers they can calculate the private key to impersonate as the key owner.
The algorithmic vulnerability is characterized by a specific structure of the generated RSA primes, which makes factorization of commonly used key lengths including 1024 and 2048 bits practically possible.
Infineon, in short, failed to make sure that the public key wasn't factorable, putting critical systems at risk as its chips have been used by several technology giants, including Google, Microsoft, HP, Lenovo, Fujitsu (all of them have released a fix). What's worse is that the flawed library complies with two international security certification standards, which means governments, their contractors and large companies are also at risk. Estonia is the first to have come forward, warning that 750,000 digital IDs issued since 2014 are vulnerable to attack.
The researchers wrote that they "analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP" and currently put the total number of vulnerable keys at 760,000. However, the original number could be up to two to three magnitudes.
They have added that RSA keys generated with OpenSSL, PGP-compliant programs, and other similar programs aren't affected by ROCA. However, those that rely on embedded chips or smart cards for cryptographic functions may be vulnerable; you can confirm by taking this test.
"Lack of public information causes a delay in the discovery of flaws"
Security researchers have called on to the companies for keeping the design secret, which makes these protocols and libraries vulnerable to attacks even if they have been "approved" by experts.
"Our work highlights the dangers of keeping the design secret and the implementation closed-source, even if both are thoroughly analyzed and certified by experts," researchers said. "The lack of public information causes a delay in the discovery of flaws (and hinders the process of checking for them), thereby increasing the number of already deployed and affected devices at the time of detection."
While KRACK may have been taking all of the news space, ROCA is an even bigger issue since while KRACK only works for attackers that are within range, ROCA has serious ramifications both in the government and outside. "Imagine a Shadowbrokers-like organization posts just a couple of private keys on the Internet and claims to have used the technique to break many more," Steel said.
Researchers will share details of ROCA at the ACM CCS conference on November 2.
- Details about mitigation and how to see if you are affected are available in the original research.