This page contains guidance for people who want to understand and reduce the impact of the vulnerability known as ROCA (Return of Coppersmith’s Attack). The vulnerability is in Trusted Platform Modules (TPMs) and Secure Elements (SEs) produced by Infineon Technologies AG.
ROCA was first reported publicly by Microsoft on 10 October. The researchers who discovered the vulnerability first published initial details of their findings on 16 October 2017.
- Enterprise Windows users are likely to be affected by this vulnerability and, where this is the case, action will need to be taken.
- Home users of Windows are unlikely to be vulnerable.
What is the issue?
A flaw has been discovered in a software library used by Infineon TPMs and SEs to generate RSA private keys. The consequence of this flaw is that it takes significantly less work than previously thought to determine an RSA private key from its public counterpart. This makes attacks feasible against data and services protected by those keys.
In devices affected by the vulnerability, the researchers estimated that the cost of breaking an individual 2048-bit RSA key to be around $20,000 (and an individual 1024-bit RSA key $40). This means that targeted attacks against individual keys may now be worthwhile for a variety of threat actors against a variety of targets.
The flaw is not known to affect other types of keys generated by Infineon TPMs and SEs.
Am I affected?
Trusted Platform Modules (TPMs) and Secure Elements (SEs) are present in a huge variety of devices, and they're used in a multitude of ways by both operating systems and third-party software. So, unfortunately, this makes it impossible to give fully comprehensive guidance here.
Trusted Platform Modules are primarily found in enterprise client PCs, but can also be found in servers, some consumer client PCs and most Chrome OS devices. They have made their way into a variety of embedded applications. They are dedicated security components which provide a secure environment in which to perform cryptographic operations.
They are used to protect data when mobile devices are lost, and for storage and processing of keys that may be used in features such as:
- authentication (of devices and users)
- email encryption with S/MIME and PGP
- Virtual Private Networks
- TLS and SSH connections
- certificate authorities
- software signing
Secure elements are secure storage and processing areas in embedded devices such as smart cards, security tokens, and some mobile devices. Like TPMs on PCs, they provide a secure environment in which to perform cryptographic operations. They too enable a variety of similar use cases to TPMs.
To determine if you're affected, you must find out:
- whether you have a device containing an affected TPM or Secure Element
- whether the TPM or Secure Element has a vulnerable firmware version
- whether you are using features that have been configured to use RSA Key Generation in the vulnerable TPM or Secure Element
To date, we are aware that Microsoft, Google (Chrome OS), Yubico, Gemalto and a number of PC vendors have made public announcements about the impact to their products. Over the coming weeks we expect further device and software vendors to make announcements. Users should remain vigilant for further advisories from vendors. We will be updating this page with details if/when more information becomes available.
If your device or software is not listed here and you are still concerned, you should contact your vendor or reseller.
Finally, if you're not otherwise able to find out if your device(s) are affected, the researchers who discovered the vulnerability have made tests available which allow you to determine whether your RSA public keys are vulnerable.
What is the impact of the issue?
Again, due to the huge variety of use cases it is impossible to give comprehensive guidance here, but we have summarised issues on some of the major affected platforms.
Windows end user devices
The NCSC end user device security guidance for Windows makes use of TPMs for several features, so if you have a vulnerable device and are following NCSC guidance then you will need to take remedial action. The following features are affected and will have significantly weakened security as a result:
- BitLocker (when used with TPM 1.2)
- Credential Guard/DPAPI/Windows Information Protection
- Device Health Attestation Service (DHA)
- Virtual Smart Card (VSC)
- Windows Hello For Business and Azure Active Directory
- Windows Hello (and Microsoft Accounts (MSA))
For full details on the impact of the vulnerability on each of these features, see https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 . Home users of Windows are unlikely to be vulnerable as the only feature they will likely be using the TPM for is Device Encryption on Windows 8 and above, which doesn't rely on RSA keys generated by the TPM.
The following Windows Server features are affected when in use on hardware with an affected TPM.
- Active Directory Certificate Services (ADCS)
- Active Directory Directory Services (ADDS)
- Windows Server 2016 Domain-joined device public key authentication
For full details on the impact of the vulnerability on each of these features, see https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
Chrome OS devices
Chrome OS devices are affected in their default configuration. The following security features are vulnerable:
- User data encryption
- Network authentication using certificates to services such as WPA2-EAP and, HTTPS.
- Chrome OS Verified Access
For full details on which Chrome OS features are affected, see https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update. You can check for certificates backed by TPM at chrome://settings/certificates
Embedded devices, smart cards and third-party security software
Contact your device manufacturer or software vendor for full details of the impact of this vulnerability.
What can I do to protect myself and my organisation?
Due to the complexity of this issue we recommend:
- Prioritise high impact services, such as public-facing network services, Certificate Authorities, Hardware Security Modules, VPNs, and software signing.
- Follow manufacturer guidance to investigate devices to see if they are vulnerable.
- Install updates to fix the underlying issue, if available.
- Take remedial action as advised by the manufacturer and/or software vendor to replace keys that were generated using the vulnerable component.
Note that whilst you may have a large number of affected devices, you may be able to manage the risk of not patching all of them immediately. For example, to break an RSA key protecting BitLocker, an attacker still needs physical access, and must spend an expected cost of $20,000 per device (for 2048 bit keys) to break the key. Although this sum may decrease over time (as the cost of computation decreases or if new research makes the attack cheaper) you might, in the meantime, decide to begin a gradual process of remediation rather than recalling devices immediately.
In this case it is not sufficient to simply install updates.
For many of the resolutions to the ROCA issue, manual steps must be taken to revoke weak keys, and regenerate strong keys. Where updates are unavailable for the hardware or firmware, software replacements may provide a more secure alternative.
For example, devices using BitLocker with TPM or TPM+PIN as protectors will need to reapply those protectors (although they will not need to fully decrypt and re-encrypt the disk). Details of the remedial action required can be found at the websites of the following vendors:
Firmware updates for affected devices can be obtained from the device OEM. Links can be found in the following section.
Where can I find more information?
For more information on this vulnerability please see the following resources:
PC vendors have provided details of devices that include vulnerable Infineon TPMs, and how to update them:
You may also want to read: