Paranoid Cryptography: ROCA
I have been investigating a new library from Google, and which analyses a range of vulnerabilities within cryptography [here]:
One of the tests relates to the ROCA (Return of the Coppersmith Attack) vulnerability an RSA private key can be recovered from the knowledge of the public key [article]. It has the CVE identifier of CVE-2017–15361. It was found in the Infineon RSA library on the Infineon Trusted Platform Module (TPM) firmware and affected BitLocker with TPM 1.2 and YubiKey 4.
With this the library was slopping in creating prime numbers, and rather than generating them randomly, it generated from
and where k and a are generated randomly. In RSA, these are then multiplied to produce an RSA modulus:
N=p.q
From the modulus, it is then relatively easy to factorize back to p and q, and then easy to crack the RSA method.
ROCA
The attack focuses on using the Coppersmith method [2] to factorize the module, and where the research team — through responsible disclosure — were able to factorize the prime numbers and without gaining access to RSALib [1]:
