ROCA: Cryptographic flaws in BitLocker, Secure Boot, and millions of smartcards

How many devices are vulnerable to ROCA?

Unfortunately, many certified devices are vulnerable. This flaw is present in the library used by NIST FIPS 140-2 and CC EAL5+, two internationally adopted cryptographic standards. This library has made its way into smartcards and Trusted Platform Modules (TPMs) used by BitLocker and Windows 10 Secure Boot. The flaw affects the identity smartcards of approximately 750,000 Estonians, nearly 55% of the country’s population. In these contexts, the attacker can use ROCA to impersonate the owner of the smartcard, break BitLocker encryption, or bypass the protections of Secure Boot.

What do we know about ROCA?

Based on the limited information released by the authors, we know that ROCA exploits a flaw in a software library that generates RSA keys. RSA is a public key cryptosystem widely used for digital signatures for authentication or encrypted messages for confidentiality. You will find RSA practically everywhere, even in the HTTPS on this web page. RSA uses two keys: public and private. The public key consists of two numbers, N and E. These two numbers can be shared with anyone. N is a large number, typically 2,048 bits in length, while E is a small number, often 3, 17, or 65,537. E is small for performance reasons; all RSA operations require modular exponentiation (aE mod N), which is orders of magnitude faster if E is a small Fermat prime such as 3, 17, or 65,537. The secret key consists of N and D, and D must be kept secret for the entire system to work.

There are some subtle differences between the choice of 3, 17, and 65,537 for the value of E. It’s intuitive to choose 3 owing to its higher performance, which is critical for very low-power devices such as smartcards, but crucially the choice can have a significant impact on the security of the entire RSA system. In 1996, Dan Coppersmith developed fatal attacks against E=3 if the software library used a simple message-padding scheme. In fact, in June 2000, Boneh and Durfee showed that if E > N0.292, then RSA is not secure. This implies that E=3 is unsafe in all standard key sizes, including the 2,048-bit keys used in identity smartcards, BitLocker, Secure Boot, HTTPS, and many other applications.

Over the years, several standards have attempted to shore up RSA against low-exponent attacks. However, E=65,537 is safer, so it became widely recommended, and the industry generally settled on it. The SSL certificate protecting Synopsys.com uses E=65,537, and you will find this to be true across many other websites. Several internet standards, such as RFC 4871, state that 65,537 should be used.

The ROCA authors, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas, have not yet published the full details of their attack, but it seems likely that ROCA relates to the issues with E=3. In January, they discovered that Infineon Technologies AG had written a cryptographic library that contained a critical flaw in the generation of RSA keys. This library was then compiled and embedded into millions of smartcards, Trusted Platform Modules, and other certified devices used in organizations and governments around the world since at least 2012. The full details will be presented at ACM CCS 2017 and are included in a research paper titled The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.

Am I affected by ROCA?

The answer is most likely yes. Even if you aren’t a citizen of Estonia or Slovakia, your personal computer and your workstation may be affected. Microsoft has published an advisory (ADV170012) stating that Windows 8.1, Windows 10, and Windows Server 2012 and 2016 are all affected. BitLocker keys may also need to be regenerated.

Estonia is well-aware of the vulnerability affecting 55% of its citizens; the government published an advisory last month, which was followed by an update earlier this week. They stress that the flaw remains theoretical and is difficult to execute, so they have decided not to recall the affected smartcards. Some of their services use the ID smartcard to supplement a username and password, which an attacker would not have.

You can test RSA public keys against the ROCA flaw with these tools:

• https://keychest.net/roca
• Offline: https://github.com/crocs-muni/roca (relevant code is in Java)

How do we fix this?

The authors have made it clear that this flaw is embedded into the hardware and firmware of many devices widely used across the globe. This makes it difficult to completely patch, but there are some mitigating controls.

If you are using Windows, Microsoft has issued several updates that should address the issue. Google, HP, Lenovo, and Fujitsu have released updates for their software products as well. Estonian citizens can suspend the digital signature services of their smartcards if they choose. A new chip is in development in the meantime.