Versasec Announces Plan to Protect Clients from ROCA
Stockholm, Sweden, November 16, 2017 -- Versasec, the leader in smart card and virtual smart card management systems, today announced simple steps its clients can take to understand their ROCA vulnerability. The Return of Coppersmith's Attack (ROCA), designates an updated version of an old attack that exposes the vulnerabilities of weak RSA keys. The attack is named after mathematician and cryptographer Don Coppersmith who helped design the Data Encryption Standard block cipher at IBM.
Today, ROCA involves a flaw that was discovered in a software library used by Infineon Technologies AG Trusted Platform Modules (TPMs), Smart Cards and Secure Elements (SEs) to generate RSA private keys. The flaw's impact is that it takes significantly less work than previously thought to determine an RSA private key from its public counterpart, making attacks feasible against data and services protected by those keys. The flaw is not known to affect other types of keys generated by Infineon chips.
"We realize many Versasec customers may be impacted by ROCA when using Infineon hardware as they open themselves up to the risk of ROCA because their keys may be weak," said Joakim Thorén, CEO of Versasec. "Although this is strictly a hardware situation and has no impact on our vSEC:CMS solution, Versasec is fully aware of the smart card and virtual smart card vulnerability and we've made a tool available to test for smart card vulnerabilities to ROCA."
Many security solutions rely on the TPM from Infineon Technologies AG, which is used in the on-board key generation process. Here's why ROCA is a problem: The Infineon RSA library 1.02.013 in Infineon firmware mishandles RSA key generation so the hacker needs only knowledge of a public key rather than physical access to the device. All RSA keys generated by a vulnerable chip are impacted, which makes it much easier for attackers to defeat some of the cryptographic protection mechanisms through targeted ROCA attacks.
Patches to the hack are available through vendors including Infineon, Google and Microsoft. One of the issues is that for some hardware, there is no way to patch or update the software. The only solution is to either replace or update the chips or cards or re-generate the keys outside of the device and load them onto the device. Companies can identify whether their devices such as virtual and physical smart cards and USB tokens are vulnerable to the ROCA issue through the Versasec Smart Card ROCA Test. The software tool is available for download at https://versasec.com/registration.php.
For physical and virtual tokens that are susceptible to ROCA, Versasec is providing step-by-step instructions to help its customers mitigate the vulnerability at the address listed above. Versasec's support team also is available to assist any customers impacted by ROCA. Those interested in learning more about Versasec or downloading an evaluation copy of vSEC:CMS are invited to visit the Versasec web site at https://versasec.com.