On 16/10/2017 21:01, Matthew Hardeman wrote:
The authors of the paper on the weak RSA keys generated by Infineon TPMs and
smart cards have published code in multiple languages / platforms that provide
for an efficient test for weakness by way of the Infineon TPM bug.
Perhaps this should be a category of issue identified by the crt.sh engine, etc?
Should someone put together a ballot for incorporating this category of weak
keys as a mandatory check before issuing certs?
Code for testing keys is at: https://github.com/crocs-muni/roca
It looks like the test is exceptionally easy math against the modulus of the
public key.
Thanks,
Matt Hardeman
Unfortunately, as of right now, their github repository still doesn't
include the promised C/C++ implementation, and their Python
implementation requires a fairly new Python version (with details
inconsistent between README.md and a quick look at setup.py).
They have also obfuscated their test by providing bitmasks as decimal
bigints instead of using hexadecimal or any other format that makes the
bitmasks human readable.
But if you happen to run a new enough environment, their tests may at
least be runable, and you may be able to deobfuscate the bitmasks with
your favorite bignum calculator.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
