Return of Coppersmith’s Attack (ROCA) is a vulnerability in the generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012.
ROCA was found in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The vulnerability was disclosed to Infineon in the first week of February with agreement of an 8 month period before a public disclosure. Major vendors including Microsoft, Google, HP, Lenovo and Fujitsu already released the software updates and guidelines for a mitigation.
ROCA enables a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack works on common RSA keys lengths such as 2048-bit which are used for SSL/TLS certificates. Estimated cost to factor a 2048- bit key is about $40,000 using Amazon AWS c4 computation. RSA key sizes 3072-bit and 4096-bit aren’t practically factorable.
The good news for SSL/TLS certificate users is your key was probably not created using the vulnerable software. All certificates in the global certificate transparency (CT) logs have been scanned and only 171 were impacted. These certificates were mostly user certificates and not server certificates.
Tools for testing ROCA are available. These can be used to test SSL/TLS certificates, but more importantly any other certificates where the keys were generated in hardware. These keys could be used for document signing or code signing certificates.
Note, Entrust Certificate Services has scanned all active public trusted SSL/TLS certificates in our database. No keys were found to be vulnerable to ROCA.