ROCA: Vulnerable RSA Key Generation [CVE-2017-15361]

The RSA keys generated using libraries from Infineon Technologies are vulnerable to practical factorization. An attacker can calculate the private key based on the structure of the generated primes. The issue affects key sizes 1204 bits and 2048 bits. The attack has been named ROCA: “Return Of Coppersmith’s Attack” and is assigned CVE-2017-15361. Coppersmith’s attacks are a type of crypto attacks against RSA where either the public key is known or a part of the private key is disclosed. The vulnerability affects NIST FIPS 140-2 and CC EAL 5+ certified devices from 2012. The issue was disclosed to Infineon Technologies on February 1st 2017 by security researchers from Centre for Research on Cryptography and Security at Masaryk University, Enigma Bridge Ltd and Ca’ Foscari University of Venice.

As mentioned earlier the vulnerability is present in the algorithm used to generate the large primes required to calculate the public and private key set. The Infineon chips use a type of acceleration algorithm called “Fast Primes” to generate key pairs, this method is typically used when there is time constraint. The researchers have found a way to exploit this method and streamline private key calculation from public key. They have also found a way to detect distinct characteristics within a generated set of keys.

The RSA keys generated by Trusted Platform Module (TPM) are also vulnerable to ROCA, if an attacker has access to the public key. TPM is a dedicated micro-controller so the attacker may need physical access to the target. This issue mostly applies for devices like Laptops, routers and embedded and IoT devices where it is used to encrypt hard drives, passwords etc.

The researchers are going to release full information regarding this vulnerability at an academic ACM Conference on Computer and Communications Security (ACM CCS ’17) starting from October 30th.

There are multiple ways to test RSA public keys for weakness.
– Offline tools .
– Online testers at here and here.
– Email S-MIME/PGP testing by sending signed emails to

We request organizations to scan using the QIDs listed below. This section will be updated as Qualys adds more signatures to detect vulnerable machines.

QID Description
91411 Microsoft Windows Security Update October 2017 (KRACK Attack) (ROCA)

Information on software update of RSA key generation function
ROCA: Vulnerable RSA generation (CVE-2017-15361)
ADV170012 | Vulnerability in TPM could allow Security Feature Bypass

Leave a Reply

Your email address will not be published. Required fields are marked *