ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance

A significant flaw has been discovered in the software library utilized by Infineon TPMs and SEs for generating RSA private keys. This flaw enables the derivation of an RSA private key from its public counterpart with considerably less effort than previously estimated, making breaching the security of protected data and services feasible.

For devices impacted by this vulnerability, researchers have estimated that the cost to break an individual 2048-bit RSA key is approximately $20,000, while an individual 1024-bit RSA key could cost around $40. This implies that directed attacks against individual keys may now become a viable option for various threat actors.

This flaw does not appear to impact other key types generated by Infineon TPMs and SEs.

Trusted Platform Modules (TPMs) and Secure Elements (SEs) are embedded in a diverse range of devices and utilized in numerous applications by both operating systems and applications developed by third parties. Therefore, providing completely exhaustive guidance here is unfortunately not feasible.

Trusted Platform Modules are primarily utilized in enterprise client PCs, but can also be found in servers, select consumer client PCs, and most Chrome OS devices. They have proliferated into various embedded applications, serving as dedicated security components that offer a secure environment for executing cryptographic tasks.

TPMs are employed to secure data in the event that mobile devices are lost, and for the storage and processing of keys that facilitate features such as:

• authentication (for both devices and users)
• email encryption using S/MIME and PGP
• Virtual Private Networks
• TLS and SSH connections
• certificate authorities
• software signing

Secure elements represent secure storage and processing areas in integrated devices like smart cards, security tokens, and various mobile devices. Similar to TPMs on PCs, they provide a secure context for executing cryptographic operations and support comparable use cases.

Key Considerations for Affected Users:

• identify whether you possess a device containing a vulnerable TPM or Secure Element
• determine whether the firmware version of the TPM or Secure Element is exposed
• check whether you are utilizing features configured to leverage RSA Key Generation in the vulnerable TPM or Secure Element

Currently, we know that Microsoft, Google (Chrome OS), Yubico, Gemalto, and several PC manufacturers have publicly acknowledged the impact on their products. In the forthcoming weeks, we anticipate further notifications from additional device and software vendors. Users should remain vigilant for additional advisories from manufacturers. We will update this page with relevant information as it becomes available.

• Windows users should refer to Microsoft’s guidance
• Chrome OS users should consult Google’s guidance
• Yubikey device users should check Yubico’s guidance
• Gemalto IDPrime.Net product users should refer to Gemalto’s guidance

If your device or software is not listed and you have concerns, please reach out to your vendor or reseller.

In case you cannot ascertain if your devices are affected, the researchers who identified this vulnerability have provided tests that enable you to verify whether your RSA public keys are vulnerable.

Owing to the vast array of use cases, it is challenging to provide comprehensive guidance here; however, we have summarized some of the main issues associated with various affected platforms.

Impacts on Windows End User Devices

The NCSC security guidance for end-user devices on Windows leverages TPMs for several functionalities. If you possess a vulnerable device and are adhering to NCSC recommendations, you must take corrective measures. The following features are impacted and will see a significant reduction in security:

• BitLocker (when utilized alongside TPM 1.2)
• Credential Guard/DPAPI/Windows Information Protection
• Device Health Attestation Service (DHA)
• Virtual Smart Card (VSC)
• Windows Hello For Business and Azure Active Directory
• Windows Hello (including Microsoft Accounts (MSA))

For further information regarding the vulnerability’s impact on these features, please visit this link. Windows home users are typically not vulnerable as the primary feature they are likely using TSR for is Device Encryption on Windows 8 and newer, which does not depend on RSA keys generated by the TPM.

Impacts on Windows Servers

The below Windows Server features are susceptible when utilized on hardware containing an affected TPM:

• Active Directory Certificate Services (ADCS)
• Active Directory Directory Services (ADDS)
• Windows Server 2016 Domain-joined device public key authentication

For complete details regarding the influence of the vulnerability on these features, please see this advisory.

Impacts on Chrome OS Devices

Chrome OS devices are impacted in their default setup. The following security functionalities are vulnerable:

• Encryption of user data
• Network authentication employing certificates for services like WPA2-EAP and HTTPS
• Chrome OS Verified Access

For complete information about which Chrome OS features are affected, check this page. You can also verify for TPM-backed certificates at chrome://settings/certificates.

Impacts on Embedded Devices, Smart Cards, and Third-Party Security Software

Please consult your device manufacturer or software provider for thorough details concerning the impact of this vulnerability on your specific devices.

Given the complexity of this vulnerability, we recommend the following actions:

1. Prioritize high-impact services, like public-facing network services, Certificate Authorities, Hardware Security Modules, VPNs, and software signing processes.
2. Adhere to manufacturer recommendations to investigate devices for any vulnerabilities.
3. Implement updates addressing the underlying issue, if they are available.
4. Engage in remedial actions as suggested by manufacturers and/or software vendors to replace keys generated with the compromised component.

It is noteworthy that while you may possess a significant number of affected devices, you could manage the risk of not patching all of them instantly. For instance, to decrypt an RSA key safeguarding BitLocker, an assailant requires physical access and must incur an expected cost of $20,000 per device (for 2048-bit keys) to break the key. Even though this figure might diminish in the future (in light of reductions in computational costs or advancements that make the attack less expensive), you might decide to initiate a gradual remediation process rather than implementing a wholesale recall of devices at once.

Procedures Beyond Simple Updates

For many of the solutions regarding the ROCA concern, manual actions must be executed to revoke weak keys and regenerate secure keys. In scenarios where updates for hardware or firmware are unavailable, software alternatives might offer a more secure solution.

For instance, devices utilizing BitLocker with TPM or TPM+PIN as protectors will need to reapply those protectors (without the need for complete disk decryption and re-encryption). Detailed information on the required remedial actions is accessible through the following vendor websites:

• Microsoft: this advisory
• Google: this update

Firmware updates for affected devices can be procured from the device’s OEM, and related links can be found in the next section.

For further insights regarding this issue, an illustrative image can assist in depicting the relevant concepts: