Based on the limited information released by the authors, we know that ROCA exploits a flaw in a software library that generates RSA keys. RSA is a public key cryptosystem widely used for digital signatures for authentication or encrypted messages for confidentiality. You will find RSA practically everywhere, even in the HTTPS on this web page. RSA uses two keys: public and private. The public key consists of two numbers, N and E. These two numbers can be shared with anyone. N is a large number, typically 2,048 bits in length, while E is a small number, often 3, 17, or 65,537. E is small for performance reasons; all RSA operations require modular exponentiation (aE mod N), which is orders of magnitude faster if E is a small Fermat prime such as 3, 17, or 65,537. The secret key consists of N and D, and D must be kept secret for the entire system to work.
There are some subtle differences between the choice of 3, 17, and 65,537 for the value of E. It’s intuitive to choose 3 owing to its higher performance, which is critical for very low-power devices such as smartcards, but crucially the choice can have a significant impact on the security of the entire RSA system. In 1996, Dan Coppersmith developed fatal attacks against E=3 if the software library used a simple message-padding scheme. In fact, in June 2000, Boneh and Durfee showed that if E > N0.292, then RSA is not secure. This implies that E=3 is unsafe in all standard key sizes, including the 2,048-bit keys used in identity smartcards, BitLocker, Secure Boot, HTTPS, and many other applications.
Over the years, several standards have attempted to shore up RSA against low-exponent attacks. However, E=65,537 is safer, so it became widely recommended, and the industry generally settled on it. The SSL certificate protecting Synopsys.com uses E=65,537, and you will find this to be true across many other websites. Several internet standards, such as RFC 4871, state that 65,537 should be used.
The ROCA authors, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas, have not yet published the full details of their attack, but it seems likely that ROCA relates to the issues with E=3. In January, they discovered that Infineon Technologies AG had written a cryptographic library that contained a critical flaw in the generation of RSA keys. This library was then compiled and embedded into millions of smartcards, Trusted Platform Modules, and other certified devices used in organizations and governments around the world since at least 2012. The full details will be presented at ACM CCS 2017 and are included in a research paper titled The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.