The ROCA vulnerability has been since widely reported, so just a quick summary of primary links:
- A short technical press release – Centre for Research on Cryptography and Security blog
- Our online test suite – test your public key (file, check MIT PGP keyring, GitHub account, and email responder – [email protected]) at keychest.net/roca (or https://rocahelp.com)
We have initially avoided identification of particular types of smart cards, which may contain and use the faulty cryptographic library, on purpose. The task is difficult as there are many types of smart cards and identification a particular smart card type is non-trivial. The implementation of a particular smart card type can further depend on the manufacturing year.
I have personally believed, and I still do, that while the replacement of weak keys generated by TPM modules may be a complex task, replacement of smart cards used by enterprises from VPN access and secure email, to physical access control will be harder still.
As a general rule of thumb, I advise all companies using smart cards for digital signing or authentication to establish their exposure to this vulnerability and initiate appropriate plans to mitigate any unacceptable risks.
I would further urge companies using smart cards marketed as Gemalto .NET v2 / Gemalto ID Prime .NET to test them for the ROCA vulnerability as we have collected several independent reports suggesting these cards produce weak RSA keys. Later models of these PKI smart cards (Gemalto ID Prime 510/511) were discontinued last month, but they have been a relatively popular choice for enterprise PKI-based security systems. First indications suggest that weak keys may be present in smart cards manufactured as far back as 2007 – a full 5 years before the currently reported date.
At the same time, Gemalto PKI smart cards with “MD” in their type / name are currently seen as secure.
Another strand of smart cards reported as vulnerable are Infineon Javacards. This is in line with the initial press release identifying Infineon and its cryptographic library to be the source of weak RSA keys.