ROCA - Infineon RSA key vulnerability.

ROCA – Infineon RSA key vulnerability.

The ROCA vulnerability has been discovered by researchers at Masaryk University (Brno, Czech Republic). As two of the researchers are also affiliated with Enigma Bridge we subsequently integrated a ROCA detection tool within this test suite. It allows users of affected products to verify security of their encryption keys.

This test suite provides information about the ROCA vulnerability, which is caused by an error in RSA key generation in Infineon security chips.

roca v1.2.6

Currently the tool supports the following key formats:
+ X509 Certificate, DER encoded, one per file, *.der, *.crt
+ X509 Certificate, PEM encoded, more per file, *.pem
+ RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header —–BEGIN RSA…)
+ SSH public key, *.pub, starting with “ssh-rsa”, one per line
+ ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header —–BEGIN PGP…
+ APK android application, *.apk
+ one modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded number
+ JSON file with moduli, one record per line, record with modulus has key “mod” (int, base64, hex, dec encoding supported) certificate(s) with key “cert” / array of certificates with key “certs” are supported, base64 encoded DER.
+ LDIFF file – LDAP database dump. Any field ending with ;binary:: is attempted to decode as X509 certificate
+ Java Key Store file (JKS). Tries empty password & some common, specify more with –jks-pass-file
+ PKCS7 signature with user certificate
The detection tool is intentionally one-file implementation for easy integration / manipulation.