You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2017-10-17 09:36:13
- DaNiMoTh
- Member
- Registered: 2006-06-10
- Posts: 260
ROCA: millions of RSA keys are crippled
Hello all,
Quoting from https://arstechnica.com/information-tec … onian-ids/:
A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.
The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion
Here is the paper: https://crocs.fi.muni.cz/public/papers/rsa_ccs17
please check your RSA public key against a python app or a web tool: https://keychest.net/roca . If it is vulnerable, revoke it and generate a new one.
Again: send you public key, no need to send your private key to anyone.
It would be awesome if someone can check the archlinux keyring too.
jjd
Offline
#2 2017-10-17 15:05:01
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: ROCA: millions of RSA keys are crippled
Well, this is a lot simpler, actually.
If you have generated your key using a smartcard, you're almost certainly in trouble. Assuming people actually do that, which is mildly silly IMHO.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#3 2017-10-17 18:30:53
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 19,789
Re: ROCA: millions of RSA keys are crippled
Assuming people actually do that, which is mildly silly IMHO.
https://en.wikipedia.org/wiki/Trusted_Platform_Module
It would seem that whole disk encryption could be at risk if the key is generated by the TPM
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#4 2017-10-17 19:33:05
- DaNiMoTh
- Member
- Registered: 2006-06-10
- Posts: 260
Re: ROCA: millions of RSA keys are crippled
Well, someone on LWN.net ran the software against Debian keyring.. and he found 6 hits.
https://lwn.net/Articles/736530/
EDIT: And a test was necessary.
(pyenv) lolz@strunz ~/Work/roca (master)$ roca-detect /usr/share/pacman/keyrings/archlinux.gpg
2017-10-17 21:40:25 [6976] INFO ### SUMMARY ####################
2017-10-17 21:40:25 [6976] INFO Records tested: 183
2017-10-17 21:40:25 [6976] INFO .. PEM certs: . . . 0
2017-10-17 21:40:25 [6976] INFO .. DER certs: . . . 0
2017-10-17 21:40:25 [6976] INFO .. RSA key files: . 0
2017-10-17 21:40:25 [6976] INFO .. PGP master keys: 93
2017-10-17 21:40:25 [6976] INFO .. PGP total keys: 201
2017-10-17 21:40:25 [6976] INFO .. SSH keys: . . . 0
2017-10-17 21:40:25 [6976] INFO .. APK keys: . . . 0
2017-10-17 21:40:25 [6976] INFO .. JSON keys: . . . 0
2017-10-17 21:40:25 [6976] INFO .. LDIFF certs: . . 0
2017-10-17 21:40:25 [6976] INFO .. JKS certs: . . . 0
2017-10-17 21:40:25 [6976] INFO .. PKCS7: . . . . . 0
2017-10-17 21:40:25 [6976] INFO No fingerprinted keys found (OK)
2017-10-17 21:40:25 [6976] INFO ################################
Last edited by DaNiMoTh (2017-10-17 19:41:28)
Offline
#5 2017-10-17 20:29:28
- fsckd
- Forum Fellow
- Registered: 2009-06-15
- Posts: 4,173
Re: ROCA: millions of RSA keys are crippled
Yubico commented on this. https://www.yubico.com/keycheck/
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
Pages: 1