Uncategorized

more on Infineon TPM issue (ROCA)

http://blog.ptsecurity.com/2017/10/a-major-flaw-in-popular-encryption.html

ROCA: Vulnerable RSA generation (CVE-2017-15361)

A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided offline and online detection tools and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the ACM CCS conference as ‘The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli’ (ROCA) research paper.

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

 

Standard
Uncategorized

more on Infineon TPM issue

Re: the recent Infineon TPM problem, more and more downstream problems are being discovered. The main news presses have lots of stories on this now.

 

Standard
Uncategorized

ChromeOS impact of Infineon TPM problem

More on: https://firmwaresecurity.com/2017/10/10/infineon-tpms-generating-weak-keys/

“You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn’t report this information. Upgrade to a newer version and check again.”

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

 

Standard
Uncategorized

Infineon TPMs generating weak keys?

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160

https://eesage.com/pages/103061850-tpm-update

ADV170012 | Vulnerability in TPM could allow Security Feature Bypass – A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. After you have installed software and/or firmware updates, you will need to re-enroll in any security services you are running to remediate those services.

Nice, Microsoft makes you agree to a EULA before you can view the web page. 😦

https://www.ghacks.net/2017/10/10/microsoft-security-updates-october-2017-release/

 

Standard
Uncategorized

Using TPMs in embedded systems

Stefan Thom (Microsoft), Steve Hanna (Infineon), and Stacy Cannady (Cisco) have an article in Electronic Design on TPM use in embedded systems. If you are new to TPM, this is a nice introduction.

Standardizing Trust for Embedded Systems

It’s time to get more serious about the lack of security in embedded products. With recently developed standards, it’s implementation just got easier. If you haven’t been concerned about malicious players hacking into your products in the past, or haven’t found success with previous efforts, it’s time for renewed attention and action. Hacking efforts aren’t slowing and, in fact, are on the rise. These days, hackers can accomplish far more than ever before—and the repercussions are far more costly. […]

Full article:
http://electronicdesign.com/embedded/standardizing-trust-embedded-systems

Standard