Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:papers:rsa_ccs17 [2017-10-30 14:40] – [Paper details] xsvendapublic:papers:rsa_ccs17 [2023-07-16 11:34] (current) – [Media] xsvenda
Line 1: Line 1:
 ====== ROCA: Vulnerable RSA generation (CVE-2017-15361) ====== ====== ROCA: Vulnerable RSA generation (CVE-2017-15361) ======
 ~~NOTOC~~ ~~NOTOC~~
 +====== Paper details ======
 +**Paper title: The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli [ACM CCS 2017]**\\
 +**Authors: Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas**\\
 +**Primary contact:** Petr Svenda <svenda@fi.muni.cz> 
 +
 +  * Conference page: [[https://www.sigsac.org/ccs/CCS2017/ | ACM CCS 2017]]
 +  * Author ePrint version of the paper: {{ :public:papers:nemec_roca_ccs17_preprint.pdf | pdf}}
 +  * Conference slides: {{ {{ :public:papers:ccs-nemec-handout.pdf | pdf}}
 +  * Poster: {{ :public:papers:nemec_roca_csaw_poster.pdf | pdf}}
 +
 +**Bibtex (regular paper)**
 +
 +  @inproceedings{2017-ccs-nemec,
 +    Author        = {Matus Nemec and Marek Sys and Petr Svenda and Dusan Klinec and Vashek Matyas},
 +    Title         = {{The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli}},
 +    BookTitle     = {24th ACM Conference on Computer and Communications Security (CCS'2017)},
 +    Year          = {2017},
 +    ISBN          = {978-1-4503-4946-8/17/10},
 +    Publisher     = {ACM},
 +    Pages         = {1631-1648}
 +  }
 +
 **<TLDR>**  **<TLDR>** 
  
-A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided [[https://crocs.fi.muni.cz/public/papers/rsa_ccs17#detection_tools_mitigation_and_workarounds | offline and online detection tools]] and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the [[https://www.sigsac.org/ccs/CCS2017/ | ACM CCS conference]] as 'The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli' (ROCA) research paper. +**Release date: 16th October, 2017** 
 + 
 +A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided [[https://crocs.fi.muni.cz/public/papers/rsa_ccs17#detection_tools_mitigation_and_workarounds | offline and online detection tools]] and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method were released at the [[https://www.sigsac.org/ccs/CCS2017/ | ACM CCS conference]] as 'The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli' (ROCA) research paper.  
 + 
 +Download full paper: {{ :public:papers:nemec_roca_ccs17_preprint.pdf | pdf}}
  
 **</TLDR>** **</TLDR>**
Line 23: Line 49:
   * 2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000).   * 2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000).
  
-The vulnerability was found by a close inspection of a large number of RSA keys generated and exported from the manufacturer smartcards by researchers at CRoCS laboratory, Masaryk University, Enigma Bridge and Ca' Foscari University. The full results will be presented at an academic ACM Conference on Computer and Communications Security (ACM CCS '17) starting from October 30th+The vulnerability was found by a close inspection of a large number of RSA keys generated and exported from the manufacturer smartcards by researchers at CRoCS laboratory, Masaryk University, Enigma Bridge and Ca' Foscari University. The full results were presented at an academic ACM Conference on Computer and Communications Security (ACM CCS '17) in November 2017
  
-The vulnerability was disclosed to Infineon Technologies AG, following the responsible disclosure principle, in the first week of February with agreement of an 8 month period before a public disclosure. We cooperated with the manufacturer and other affected parties to help evaluate and mitigate this vulnerability during this period. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. We are now notifying general public and releasing tools for assessmnet of the individual keys. +The vulnerability was disclosed to Infineon Technologies AG, following the responsible disclosure principle, in the first week of February with agreement of an 8 month period before a public disclosure. We cooperated with the manufacturer and other affected parties to help evaluate and mitigate this vulnerability during this period. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. We are now notifying general public and releasing tools for assessment of the individual keys. 
  
 ===== Impact ===== ===== Impact =====
Line 57: Line 83:
  
 ===== Updates ===== ===== Updates =====
-  * 2nd of November 2017 - Presentation of all details at the ACM CCS conference (to come) +  * 2nd of November - Presentation of ROCA at the ACM CCS conference, received Real-World Impact Award  
-  * 16th of October 2017 - The initial version of the public disclosure published +  * 30th October 2017 - Full paper made public: [[https://acmccs.github.io/papers/p1631-nemecA.pdf | pdf]] 
 +  * 16th of October 2017 - The initial version of the public disclosure published, detector of vulnerable keys [[https://github.com/crocs-muni/roca | published]]  
   * May to October 2017 - Cooperation with the manufacturer and other affected parties to help evaluate and mitigate the vulnerability   * May to October 2017 - Cooperation with the manufacturer and other affected parties to help evaluate and mitigate the vulnerability
   * 1st of February - The vulnerability disclosed to Infineon Technologies AG   * 1st of February - The vulnerability disclosed to Infineon Technologies AG
Line 97: Line 124:
   * Google, The Chromium project Trusted Platform Module firmware vulnerability: https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update   * Google, The Chromium project Trusted Platform Module firmware vulnerability: https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update
   * CVE-2017-15361: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361, https://nvd.nist.gov/vuln/detail/CVE-2017-15361   * CVE-2017-15361: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361, https://nvd.nist.gov/vuln/detail/CVE-2017-15361
 +  * National Cyber Security Centre, UK: https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance
 +  * D.J.Bernstein and T. Lange, Reconstructing ROCA: https://blog.cr.yp.to/20171105-infineon.html
  
 ===== Media ===== ===== Media =====
Line 109: Line 138:
   * The Register: https://www.theregister.co.uk/2017/10/23/roca_crypto_flaw_gemalto/   * The Register: https://www.theregister.co.uk/2017/10/23/roca_crypto_flaw_gemalto/
   * ArsTechnica: https://arstechnica.com/information-technology/2017/10/crippling-crypto-weakness-opens-millions-of-smartcards-to-cloning/   * ArsTechnica: https://arstechnica.com/information-technology/2017/10/crippling-crypto-weakness-opens-millions-of-smartcards-to-cloning/
 +  * RSA Security: https://www.rsa.com/en-us/blog/2017-10/roca-blaming-infineon-is-the-easy-way-out
 +  * ArsTechnica: https://arstechnica.com/information-technology/2017/11/flaw-crippling-millions-of-crypto-keys-is-worse-than-first-disclosed/
 +  * SC Media: https://www.scmagazineuk.com/roca-the-role-of-key-generation-and-decrypting-of-private-keys/article/704343/
 +  * Cybernetica: https://cyber.ee/en/news/cybernetica-case-study-solving-the-estonian-id-card-case/
 +  * Infineon: https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
  
  
-====== Paper details ====== 
-**Paper title: The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli [ACM CCS 2017]**\\ 
-**Authors: Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas**\\ 
-**Primary contact:** Petr Svenda <svenda@fi.muni.cz>  
- 
-  * Conference page: [[https://www.sigsac.org/ccs/CCS2017/ | ACM CCS 2017]] 
-  * Download author ePrint version of the paper: {{ :public:papers:nemec_roca_ccs17_preprint.pdf | pdf}} 
- 
-**Bibtex (regular paper):** 
- 
-  @inproceedings{2017-ccs-nemec, 
-    Author        = {Matus Nemec and Marek Sys and Petr Svenda and Dusan Klinec and Vashek Matyas}, 
-    Title         = {The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli}, 
-    BookTitle     = {24th ACM Conference on Computer and Communications Security (CCS'2017)}, 
-    Year          = {2017}, 
-    ISBN          = {978-1-4503-4946-8/17/10}, 
-    Publisher     = {ACM}, 
-    Pages         = {1631-1648} 
-  } 
  
 ---- ----