The security/cryptography industry has recently taken a battering. Hot on the heels of the KRACK WiFi network vulnerability comes an even bigger, more calamitous and more widespread hazard – the ROCA hack has exposed millions of smartcards, laptops, devices and secure systems to potential criminal activity.
Infineon Technologies AG is a multi-billion dollar, 18-year old German chipmaker that was originally part of Siemens, with 36,000 employees in 166 locations in over 25 countries. It claims to be “the leading provider of security solutions with robust, future-proof embedded security hardware”.
Infineon developed an encryption code library around 2012 that is compliant with recognized global security certification standards, yet it contains a deadly flaw. The fault means that many of the public cryptography keys it generates can be decomposed relatively easily to reveal the corresponding private key. That means that all of its keys are suspect and would not stand up in a court of law as proof that a named party digitally signed a document, or a piece of software, or government identity cards (e.g. Slovakia, Estonia). It also means that criminals could impersonate the true signatory. Hackers could inject malicious code into genuine software products and distribute them as though they were authenticated and digitally signed by the manufacturer.
Infineon did not perform adequate due diligence QA on the code library. As a result, some of its public keys, or moduli, are easily factored. At the core of many encryption system is often a very large integer that is calculated by multiplying two prime numbers together to arrive at a semiprime number. Some of Infineon’s public keys can be factored, since the component prime numbers can be reverse-engineered. Researchers can identify, or fingerprint, which public keys are vulnerable. Wikipedia defines key fingerprinting in public-key cryptography as, “a short sequence of bytes used to identify a longer public key.”
In the ROCA hack (“Return of Coppersmith’s Attack”), researchers developed a version of an existing decryption method. It leveraged the vulnerability that the modulus, or public key, can be factored to reveal the crucial primes. Factorizing the public key still requires considerable computing power and time, and the researchers used Amazon cloud compute services as a benchmark to illustrate the effort and cost. Once a public key has been fingerprinted as being potentially factorizable using this tool, a 1024-bit key would take just a few minutes to break, at a mere cost of approximately $75. A 2048-bit key would cost about $40,000 to crack, and would take a little more than two weeks. A properly-factored key would take millions of years and could not be broken in practical terms. These estimates illustrate the relative strengths and weaknesses of weak and strong keys.
How widespread is this?
There are tens of millions of these Infineon RSA keys in the field. Also, Trusted Platform Modules (TPMs) are embedded chips that are designed to safeguard hardware by integrating crypto keys, and can generate secure keys and facilitate remote login by authenticating credentials. Many Windows devices manufactured by HP, Fujitsu, and Lenovo are impacted; Google Chromebooks are similarly affected. Any devices that utilize Infineon RSA technology must be patched.
Concerns for the security industry
The organization that leads global certification of encryption methods is the National Institute of Standards and Technology (NIST) and the most important standards are FIPS 140-2 Level 2 and the Common Criteria. This is the second credibility hit to affect encryption technology since four years ago, when Taiwan’s certified digital ID secure technology was discovered to contain a flaw that could enable a hacker to adopt another user’s persona. Standards and certification will surely be reassessed and strengthened to reclaim credibility.
Is there any good news?
Yes. The vulnerability applies only to keys that were generated by the Infineon RSA encryption technology. RSA keys generated with software such as PGP, OpenSSL, and similar are not impacted. Neither are non-RSA keys, such as those using Elliptic Curve Cryptography and other technologies. In any case, only keys that were generated by a smartcard or an embedded device using the Infineon code library exhibit this flaw.