ROCA Vulnerability Test Suite
Information and tools to test RSA keys for the ROCA vulnerability
The ROCA vulnerability has been discovered by researchers at Masaryk University (Brno, Czech Republic). KeyChest has close links to the researchers so it integrated a ROCA detection tool within its test suite. It allows users of affected products to verify security of their encryption keys.
This test suite provides information about the ROCA vulnerability, which is caused by an error in RSA key generation in Infineon security chips. These computer chips are used in a number of products and applications as detailed in the ROCA vulnerability summary below.
You can use this test suit to check your RSA keys in a text form, by uploading a keystore in one of the supported types, or by sending an email with a digital signature (S/MIME) or your PGP key to an email responder. Use the form below to select the most suitable method.
If you experience difficulties or errors on this page, please let us know via our support system.
Privacy notice: Any data you provide on this page is deleted as soon as we complete a requested test. We do not keep your keys or any other data generated during testing.
Update (20th October 2017): Gemalto IDPrime .NET smart cards have been generating weak RSA keys since 2008 or earlier - ROCA vulnerability impact on Gemalto IDPrime .NET smart cards.
Update (24th October 2017): Researchers from Masaryk University requested changes to texts explaining test results. We are updating these to provide more accurate guidance. Please visit their web page at ROCA: Vulnerable RSA generation for a detailed description of the impact of the ROCA vulnerability.
Update (14th November 2017): The Spanish government has said it would "deactivate" all electronic ID-card (DNIe) certificates issued after May 2015. It hasn't happened yet. The official statement in Spanish is at "Direccion General de la Policia - DNI y Pasaporte" portal.
This service is provided by KeyChest Ltd. It uses the official ROCA detection tool.
As you're here, try our KeyChest - expiry monitoring service for web encryption. It is free for personal use and up to 100 endpoints. It uses Certificate Transparency databases with our own look-up tables to discover new certificates within minutes.
KeyChest for Commercial use, with real-time Slack notifications starts at $10 / month for thousands of domains (we only enforce fair usage policy).
The KeyChest RESTful API allows automation of independent monitoring with a self-registration of new clients. It provides expiry information for each detected IP address.
You can learn more about KeyChest at the landing page of this website.