I think this is right. ROCA-detect appears to just be an implementation of the fingerprinting algorithm described in the 2016 paper (https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf). There are already plenty of clues in the 2016 paper that something might be wrong with Infineon's prime selection algorithm. It will be interesting to see what the actual attack is.
Fun quotes from the 2016 paper: "It is possible to verify ... whether the primes generally do not exhibit same distribution as randomly generated numbers (Infineon JTOP 80K) by computing the distributions of the primes, modulo small primes." On the factorization of p-1: "The Infineon JTOP 80K card produces significantly more small factors than usual (compared with both random numbers and other sources)." On biases in the random number generator: " The Infineon JTOP 80K failed the NIST STS Approximate Entropy test (85/100, expected entropy contained in the data) at a significant level and also failed the group of Serial tests from the Dieharder suite (39/100, frequency of overlapping n-bit patterns). Interestingly, the serial tests began to fail only for patterns with lengths of 9 bits and longer (lengths of up to 16 bits were tested), suggesting a correlation between two consecutive random bytes generated by the TRNG." This is pure speculation on my part, but I'm wondering if they also used the classic smart card "optimization" of using 3 for the public exponent. That would make it easier to exploit biases in selection of primes. -Tim -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+thollebeek=trustwave....@lists.mozilla.org] On Behalf Of Nick Lamb via dev-security-policy Sent: Tuesday, October 17, 2017 7:37 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Efficient test for weak RSA keys generated in Infineon TPMs / smartcards On Monday, 16 October 2017 23:15:51 UTC+1, Jakob Bohm wrote: > They have also obfuscated their test by providing bitmasks as decimal > bigints instead of using hexadecimal or any other format that makes > the bitmasks human readable. The essential fingerprinting trick comes down to this (I had to work all this out while I was discussing it with Let's Encrypt's @cpu yesterday): Infineon RSA moduli have weird properties, when you divide them by some (but not all) small primes the remainder isn't zero (which would be instantly fatal to security) but is heavily biased. For example when divided by 11 the remainder is always 1 or 10. The bitmasks are effectively lists of expected remainders for each small prime, if your modulus has an expected remainder for all the 20+ small primes that distinguish Infineon, there's a very high chance it was generated using their hardware, although it isn't impossible that it was selected by other means. The authors could give firm numbers but I have estimated the false positive rate as no more than 1-in 2 million. If any of the remainders are "wrong" then your keys weren't generated using this Infineon library, there is no "false negative" rate. I believe the November paper will _not_ announce a new category of RSA weak keys, but instead will describe how to get better than chance rates of guessing RSA private key bits from the public modulus _if_ the key was generated using Infineon's library. Such knowledge can be leveraged into a cost effective attack using existing known techniques. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://scanmail.trustwave.com/?c=4062&d=3Ovl2apWfmmNe_UweJVlyoLYW7IcTt8TvAsvArum1g&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy