The paper is promoted; embargoed until 2017-10-30.
A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided offline and online detection tools and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the ACM CCS conference as ‘The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli’ (ROCA) research paper.
- An RSA implementation is broken
- 512 bits.
- 1024 bits.
- 2048 bits.
- <quote>In NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012.</quote>
- a software implementation,
embedded in hardware,
embedded in Trusted Petunia Module (TPM)
- Infineon Technologies AG.
- roca-detect/1.0.3, requires a Python stack.