ROCA - vulnerability in Infineon RSA key generation

Quantum cryptography is still some years away from being anything but an interesting research area. But if you want to see what it is to suddenly have all your keys broken, look the ROCA vulnerability.

The ROCA vulnerability enables computation of RSA private keys from their public components for a range of key lengths, including commonly used 2,048 bits with low to medium budget. A successful computation of a private key allows, depending on its use, decrypt sensitive data (from file encryption to HTTPS), forging digital signatures (email security, qualified signatures), impersonation (access control to IT systems or buildings), or personal identity theft (e-ID cards). The current (conservative) indicative processor times for 1,024 and 2,048 bit keys are as follows.

  • 1,024 bit RSA keys – 97 vCPU days (maximum cost of $40-$80); and

  • 2,048 bit RSA keys – 51,400 vCPU days, (maximum cost of $20,000 - $40,000).

Computations can be split among an arbitrary number of processors and completed in days, hours, or even minutes. These time and cost estimates were valid at the time of publication and may decrease.

You can now read all the technical details in the ACM Digital Library, which published the full text of the research paper .

While the paper describes the technical details, if you want to understand real-world implications than it takes a bit more imagination. Let's start with this example - your company decided to outsource your IT to third parties. You need to show your clients and partners that you're in control of your data and use encryption to protect against unauthorized access via the IT supplier. As you are worried about ransomware, you create frequent backups - actually your IT supplier does.

October 16th came and you suddenly learnt that it was possible to decrypt all your sensitive data without any additional information - all that was needed had been included with the data, namely public keys used for encryption. And it's not just an odd misplaced key that got compromised - it's all your keys at the same time.

You can revoke the keys, but the data is out there and there's no way to hide it now. All you can do is to hope that there are so many other companies, that your IT supplier will be helpful, that you know of all the copies of your data, that no one will find your data worth $20,000 (or maybe just $500 dollars when November comes and black hats optimize the attack) to crack the key.

Assessment and mitigation

The vulnerability can’t be used for large-scale attacks but there is a practical method for targeted attacks. Do contact manufacturers of products you suspect may be affected, or check their latest bug and press releases, and product updates for more information.

If you suspect you or your organization's security may be at risk, we have implemented a tool to test RSA public keys for the ROCA vulnerability. It is available for download and as an online test toolkit here at:

A list of possible mitigation steps includes:

  • install security updates provided by manufacturers if available;

  • replacement of security chips / products with these chips with secure ones;

  • change the source of RSA keys to a secure key generator;

  • replace RSA algorithm with an elliptic curve encryption (ECC);

  • shorten the lifetime of RSA keys;

  • limit access to repositories with public keys; or

  • separation of data-at-rest and data-in-transit encryption.

We are Enigma Bridge Ltd, 20 Bridge St, Cambridge, CB2 1UF, United Kingdom and we read keychest@enigmabridge.com
Terms of Service | Privacy Policy

Certificate monitoring KeyChest logo