The security/cryptography industry has recently taken a battering. Hot on the heels of the KRACK WiFi network vulnerability comes an even bigger, more calamitous and more widespread hazard – the ROCA hack has exposed millions of smartcards, laptops, devices and secure systems to potential criminal activity.

Infineon Technologies AG is a multi-billion dollar, 18-year old German chipmaker that was originally part of Siemens, with 36,000 employees in 166 locations in over 25 countries. It claims to be “the leading provider of security solutions with robust, future-proof embedded security hardware”.

Infineon developed an encryption code library around 2012 that is compliant with recognized global security certification standards, yet it contains a deadly flaw. The fault means that many of the public cryptography keys it generates can be decomposed relatively easily to reveal the corresponding private key. That means that all of its keys are suspect and would not stand up in a court of law as proof that a named party digitally signed a document, or a piece of software, or government identity cards (e.g. Slovakia, Estonia). It also means that criminals could impersonate the true signatory. Hackers could inject malicious code into genuine software products and distribute them as though they were authenticated and digitally signed by the manufacturer.

Infineon did not perform adequate due diligence QA on the code library. As a result, some of its public keys, or moduli, are easily factored. At the core of many encryption system is often a very large integer that is calculated by multiplying two prime numbers together to arrive at a semiprime number. Some of Infineon’s public keys can be factored, since the component prime numbers can be reverse-engineered. Researchers can identify, or fingerprint, which public keys are vulnerable. Wikipedia defines key fingerprinting in public-key cryptography as, “a short sequence of bytes used to identify a longer public key.”

In the ROCA hack (“Return of Coppersmith’s Attack”), researchers developed a version of an existing decryption method. It leveraged the vulnerability that the modulus, or public key, can be factored to reveal the crucial primes. Factorizing the public key still requires considerable computing power and time, and the researchers used Amazon cloud compute services as a benchmark to illustrate the effort and cost. Once a public key has been fingerprinted as being potentially factorizable using this tool, a 1024-bit key would take just a few minutes to break, at a mere cost of approximately $75. A 2048-bit key would cost about $40,000 to crack, and would take a little more than two weeks. A properly-factored key would take millions of years and could not be broken in practical terms. These estimates illustrate the relative strengths and weaknesses of weak and strong keys.

How widespread is this?

There are tens of millions of these Infineon RSA keys in the field. Also, Trusted Platform Modules (TPMs) are embedded chips that are designed to safeguard hardware by integrating crypto keys, and can generate secure keys and facilitate remote login by authenticating credentials. Many Windows devices manufactured by HP, Fujitsu, and Lenovo are impacted; Google Chromebooks are similarly affected. Any devices that utilize Infineon RSA technology must be patched.

Concerns for the security industry

The organization that leads global certification of encryption methods is the National Institute of Standards and Technology (NIST) and the most important standards are FIPS 140-2 Level 2 and the Common Criteria. This is the second credibility hit to affect encryption technology since four years ago, when Taiwan’s certified digital ID secure technology was discovered to contain a flaw that could enable a hacker to adopt another user’s persona. Standards and certification will surely be reassessed and strengthened to reclaim credibility.

Is there any good news?

Yes. The vulnerability applies only to keys that were generated by the Infineon RSA encryption technology. RSA keys generated with software such as PGP, OpenSSL, and similar are not impacted. Neither are non-RSA keys, such as those using Elliptic Curve Cryptography and other technologies. In any case, only keys that were generated by a smartcard or an embedded device using the Infineon code library exhibit this flaw.

They have called it KRACK — Key Reinstallation Attack – and it uncovers a vulnerability in practically every modern WiFi network in the world. The flaw lies at the heart of the WPA2 security protocol that controls access and encrypts traffic. It can be leveraged to snoop on confidential information such as emails, credit card details, passwords and so on.

Who is impacted?

Businesses and individuals, institutions and enterprises, personal and corporate networks – every network that uses WPA2 or the older WPA1. Ciphers GCMP, AES-CCMP and WPA-TKIP. Windows, Linux, Apple, Android, Linksys, MediaTek, OpenBSD, have all been shown to be vulnerable to KRACK attacks. In fact, Android 6 users are most vulnerable

What exactly is the flaw?

When a user connects to a WiFi network, WPA2 uses what is called a 4-way handshake to validate the user’s credentials and connect authorized users to the network. Step 3 of that handshake process involves generating a unique session key. The flaw means that the key generation process can be manipulated to either use a key from a previous session or, in the case of Android 6, to use a key containing all zeros. Hence the name Key Reinstallation attack. Therefore a hacker could pose as an existing legitimate user and tap into the data going to and from that user. A hacker could also inject malware into a data stream to/from a user. A more technical low down can be found here and here.

Is there any good news?

Yes indeed. Most websites that handle confidential data, such as banks and eCommerce sites, use the HTTPS secure layer protocol to encrypt traffic. The WPA2 vulnerability cannot compromise data that is encrypted by some other method other than WPA2. This means that VPN traffic, for example, is not compromised. It is only plain old HTTP traffic that could be stolen. In any case, an attacker would have to be in close physical proximity in order to access any WiFi network, so it’s not like a vulnerability that can be leveraged from half way across the globe over the Internet.

Who is to blame and could it have been avoided?

Founded in 1999, Wi-Fi Alliance is the non-for-profit organization formed by the major players worldwide that create and deliver the Wi-Fi ecosystem, on which billions of people depend every day. It says, “Today, Wi-Fi carries more than half of the internet’s traffic in an ever-expanding variety of applications.” Its website carries the announcement of the vulnerability published October 16.
Seeing as this organization developed WPA2, then any finger pointing leads straight here, although it would be ultra-critical to lay blame with a product that has stood the test of time in the 13 years since its release in 2004. Could it have been avoided? Could Daimler have avoided the recall of over one million Mercedes Benz automobiles recently for an air bag flaw? Of course, the answer is yes, in theory, but no product can lay claim to be 100% foolproof or flawless.

What next to protect WiFi users?

The researchers quite responsibly informed the relevant bodies discreetly such that manufacturers like Microsoft had a month to develop security patches before the word got out. Users should update their devices. Microsoft users who subscribe to automatic updates will already have been upgraded. Android users should upgrade asap. However, as routers are almost always not on an automatic upgrade program, many may never receive firmware upgrades. That may not be an issue as long as clients (users) upgrade devices.