ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance

A critical flaw has been identified in the software library utilized by Infineon TPMs and SEs for generating RSA private keys. This flaw significantly reduces the effort required to deduce an RSA private key from its public equivalent, rendering attacks feasible against data and services safeguarded by those keys.

The researchers estimate that exploiting an individual 2048-bit RSA key could cost around $20,000, while breaking a 1024-bit RSA key may only cost $40. This implies that targeted attacks on individual keys can be economically viable for various threat actors across multiple targets.

Other forms of keys generated by Infineon TPMs and SEs are believed to remain unaffected.

Trusted Platform Modules (TPMs) and Secure Elements (SEs) are integrated into many devices, serving diverse functions for both operating systems and third-party applications. Consequently, providing exhaustive guidance is challenging.

Trusted Platform Modules are commonly found in enterprise desktop PCs, as well as some servers, consumer desktops, and most Chrome OS devices. They have also been deployed in various embedded applications, serving as dedicated security components for cryptographic operations.

TPMs are instrumental in protecting data during mobile device loss and managing keys for functionalities such as:

• Authentication (for devices and users)
• Email encryption using S/MIME and PGP
• VPN services
• TLS and SSH connections
• Certificate authorities
• Software signing

Secure elements act as secure storage and processing units in embedded devices such as smart cards, security tokens, and select mobile devices. Like TPMs, they provide secure environments for cryptographic tasks and enable various similar applications.

To ascertain if you’re affected, you should investigate:

• Whether your device contains a susceptible TPM or Secure Element
• If the TPM or Secure Element operates on a vulnerable firmware version
• Whether you are utilizing features configured for RSA Key Generation through the vulnerable TPM or Secure Element

Current announcements from Microsoft, Google (Chrome OS), Yubico, Gemalto, and other hardware manufacturers have acknowledged the impact on their products. Additional announcements from other vendors are anticipated in the upcoming weeks. Stay alert for advisory updates from these providers, as we will modify this document with more information as it becomes available.

• Windows OS users should consult Microsoft’s advisories
• Chrome OS users should refer to Google’s guidelines
• Yubikey device users should follow Yubico’s recommendations
• Gemalto IDPrime.Net users should review Gemalto’s guidelines

If your device is not included in these lists and you still have concerns, reach out to your vendor or reseller.

For users unable to verify their device vulnerabilities, the researchers have made testing tools available to establish whether your RSA public keys are compromised.

Due to the extensive range of use cases, it is difficult to provide thorough guidance, but we summarize the implications on some major affected platforms below.

Windows User Devices

The NCSC security guidance for end-user devices operating on Windows leveraging TPMs recommends remedial actions if using vulnerable hardware. The following features utilizing TPMs will experience notably reduced security:

• BitLocker (when used with TPM 1.2)
• Credential Guard/DPAPI/Windows Information Protection
• Device Health Attestation Service (DHA)
• Virtual Smart Card (VSC)
• Windows Hello For Business and Azure Active Directory
• Windows Hello (and Microsoft Accounts (MSA))

For a complete overview of the vulnerability’s impact on these features, refer to Microsoft’s advisory. Home users employing Windows are typically not at risk since the only feature they will likely use TPM for is Device Encryption on Windows 8 and subsequent versions, which does not rely on RSA keys generated by TPMs.

Windows Servers

The subsequent features on Windows Servers are at risk if they are used on hardware with a vulnerable TPM:

• Active Directory Certificate Services (ADCS)
• Active Directory Directory Services (ADDS)
• Windows Server 2016 Domain-joined device public key authentication

For further details regarding the consequences of the vulnerability on these features, see Microsoft’s advisory.

Chrome OS Devices

Chrome OS devices are vulnerable under their default settings. The following security features have been identified as at risk:

• User data encryption
• Network authentication using certificates for services such as WPA2-EAP and HTTPS
• Chrome OS Verified Access

For comprehensive information regarding affected Chrome OS features, visit Google’s guidelines. You can check for TPM-backed certificates at chrome://settings/certificates

Embedded Devices, Smart Cards, and Third-Party Security Software

For specific information on the impact of this vulnerability, contact your device manufacturer or software vendor.

Given the intricacies associated with this issue, we recommend the following actions:

1. Focus on high-impact services, such as public-facing network services, Certificate Authorities, Hardware Security Modules, VPNs, and software signing.
2. Follow manufacturer guidelines to assess your devices for vulnerabilities.
3. Implement updates designed to resolve the underlying issues once they are available.
4. Take corrective measures as recommended by the manufacturer and/or software vendor to replace keys generated using the compromised component.

It’s important to note that while you may possess numerous affected devices, managing the risk of not promptly patching them may be feasible. For example, breaking an RSA key protecting BitLocker still requires physical access, along with an estimated expenditure of $20,000 per device for 2048-bit keys to succeed. Although this cost may decrease over time as computing capabilities improve, you could opt for a gradual remediation process rather than an immediate device recall.

Updates Alone Are Not Enough

Many resolutions addressing the ROCA issue will require manual actions to revoke vulnerable keys and generate strong keys. In situations where updates are not available for hardware or firmware, alternative software solutions may offer better security.

As an example, devices utilizing BitLocker with TPM or TPM+PIN will require you to reapply those protectors (without needing complete decryption and re-encryption of the disk). Detailed remedial instructions can be obtained from the following vendors:

• Microsoft: link
• Google: link

Firmware updates for vulnerable devices can be accessed from the respective device OEM. Relevant links can be sourced from the following section.

For further inquiry and detailed information regarding the ROCA vulnerability, users are encouraged to consult manufacturer recommendations and stay informed.