ROCA Vulnerability Test Suite
Information and tools to test RSA keys for the ROCA vulnerability
The ROCA vulnerability has been discovered by researchers at Masaryk University (Brno, Czech Republic). As two of the researchers are also affiliated with Enigma Bridge we subsequently integrated a ROCA detection tool within this test suite. It allows users of affected products to verify security of their encryption keys.
This test suite provides information about the ROCA vulnerability, which is caused by an error in RSA key generation in Infineon security chips. These computer chips are used in a number of products and applications as detailed in the ROCA vulnerability summary below.
You can use this test suit to check your RSA keys in a text form, by uploading a keystore in one of the supported types, or by sending an email with a digital signature (S/MIME) or your PGP key to an email responder. Use the form below to select the most suitable method.
If you experience difficulties or errors on this page, please let us know via our support system.
Privacy notice: Any data you provide on this page is deleted as soon as we complete a requested test. We do not keep your keys or any other data generated during testing.
Update (20th October): Gemalto IDPrime .NET smart cards have been generating weak RSA keys since 2008 or earlier - ROCA vulnerability impact on Gemalto IDPrime .NET smart cards.
Update (24th October): Researchers from Masaryk University requested changes to texts explaining test results. We are updating these to provide more accurate guidance. Please visit their web page at ROCA: Vulnerable RSA generation for a detailed description of the impact of the ROCA vulnerability.
Update (14th November): The Spanish government has said it would "deactivate" all electronic ID-card (DNIe) certificates issued after May 2015. It hasn't happened yet. The official statement in Spanish is at "Direccion General de la Policia - DNI y Pasaporte" portal.
KeyChest is a certificate management service for HTTPS certificates. It automatically discovers new certificates and adds them to its reports. The certificate renewal system uses an Ansible integration and removes the need for keeping Let's Encrypt clients up-to-date on each of your servers. It simply provides keys and certificate when needed.
The KeyChest RESTful API allows automation of independent monitoring with a self-registration of new clients. It provides expiry information for each detected IP address.
It's free here as a cloud service. Just click the image above, or this link to register.
You can learn more about KeyChest at the landing page of this website.