ROCA vulnerability and Axalto / Gemalto .NET v2 smartcards

print
I wrote about the ROCA vulnerability yesterday. It affects Infineon security chips used in TPMs and smart cards. While it is easy to identify TPM modules and computers using them, smart cards are more difficult.

21/Oct: Please see an update on this topic here and at CERT/CC. Gemalto confirmed that its .NET line of smartcards is vulnerable to the ROCA.

The ROCA vulnerability has been since widely reported, so just a quick summary of primary links:

We have initially avoided identification of particular types of smart cards, which may contain and use the faulty cryptographic library, on purpose. The task is difficult as there are many types of smart cards and identification a particular smart card type is non-trivial. The implementation of a particular smart card type can further depend on the manufacturing year.

I have personally believed, and I still do, that while the replacement of weak keys generated by TPM modules may be a complex task, replacement of smart cards used by enterprises from VPN access and secure email, to physical access control will be harder still.

As a general rule of thumb, I advise all companies using smart cards for digital signing or authentication to establish their exposure to this vulnerability and initiate appropriate plans to mitigate any unacceptable risks.

I would further urge companies using smart cards marketed as Gemalto .NET v2 / Gemalto ID Prime .NET to test them for the ROCA vulnerability as we have collected several independent reports suggesting these cards produce weak RSA keys. Later models of these PKI smart cards (Gemalto ID Prime 510/511) were discontinued last month, but they have been a relatively popular choice for enterprise PKI-based security systems. First indications suggest that weak keys may be present in smart cards manufactured as far back as 2007 – a full 5 years before the currently reported date.

At the same time, Gemalto PKI smart cards with “MD” in their type / name are currently seen as secure.

Another strand of smart cards reported as vulnerable are Infineon Javacards. This is in line with the initial press release identifying Infineon and its cryptographic library to be the source of weak RSA keys.

 


Try the Professional HTTPS/TLS monitoring service KeyChest.net to keep on top of your certificates with its certificate auto-discovery. The public cloud service is free and allows you monitor thousands of certificates within minutes (YouTube video – 49 seconds).

About Author

Dan Cvrcek

Co-founder of Radical Prime and Enigma Bridge. Indendent consultant on security and encryption systems (incl. large banking, payment, and enterprise systems) ... and a university professor.

12 Comments

koczkatamas

17th October 2017 at 6:07 pm

Our IDPrime.NET cards are affected. Ping me if you need more information (manufacture date, etc).

A plethora of patches, Kaspersky hits back, new hope for Wannacry Brit hero and more (The Register) |

21st October 2017 at 1:28 am

[…] an Axalto or Gemalto .NET v2 smartcard, be aware the Infineon TPM cryptography screw up may well affect the security of your […]

A plethora of patches, Kaspersky hits again, new hope for Wannacry Brit hero – and extra | NETWORKFIGHTS.COM

21st October 2017 at 1:43 am

[…] or Gemalto .NET v2 smartcard, bear in mind the Infineon TPM cryptography screw up could nicely have an effect on the safety of your […]

A plethora of patches, Kaspersky hits back, new hope for Wannacry Brit hero – and more – STE WILLIAMS

21st October 2017 at 3:14 am

[…] an Axalto or Gemalto .NET v2 smartcard, be aware the Infineon TPM cryptography screw up may well affect the security of your […]

La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo | ISO Móvil

9th November 2017 at 11:29 am

[…] comunidad de especialistas en seguridad informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que siquiera las soluciones de la modernización de su […]

La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo | Android 3G – ¡Estamos conectados con la Tecnología Android!.

9th November 2017 at 11:36 am

[…] en la sociedad de maestros en protección informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que pese a que las respuestas de la modernización de su […]

La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo – Tec Ofertas España

9th November 2017 at 11:45 am

[…] en la comunidad de expertos en seguridad informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que aunque las soluciones de la actualización de su […]

AKETXE Consulting – La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo

9th November 2017 at 11:48 am

[…] en la comunidad de expertos en seguridad informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que aunque las soluciones de la actualización de su […]

La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo – Technow

9th November 2017 at 12:01 pm

[…] en la comunidad de expertos en seguridad informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que aunque las soluciones de la actualización de su […]

La seguridad del DNI electrónico, comprometida: a quién afecta, por qué y cómo solucionarlo – Geekis

9th November 2017 at 1:09 pm

[…] en la comunidad de expertos en seguridad informática. Dan Cvrcek, de la consultora Enigma Bridge, avisaba de los peligros del uso de este tipo de chips, e indicaba que aunque las soluciones de la actualización de su […]

Estonia Hits Gemalto Again – Insecure eID cards – Magic of Security

1st October 2018 at 8:18 am

[…] https://dan.enigmabridge.com/roca-vulnerability-and-axalto-gemalto-net-v2-smartcards/ […]

buy testosterone online usa

17th December 2018 at 4:24 pm

[…] buy testosterone online best place to buy testosterone online best place to buy testosterone online best place to buy testosterone online best place to buy testosterone online best place to buy testosterone online best place to buy […]

Leave a Reply