• Stars
    star
    481
  • Rank 91,384 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 7 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ROCA: Infineon RSA key vulnerability

ROCA detection tool

Build Status

This tool is related to ACM CCS 2017 conference paper #124 Return of the Coppersmithโ€™s Attack: Practical Factorization of Widely Used RSA Moduli.

It enables you to test public RSA keys for a presence of the described vulnerability.

Update 4.11.2017: Python 2.7, 3.4+ supported.

Update 30.10.2017: The paper of the attack is already online, ACM version.

Update 30.10.2017: The discrete logarithm detector is now implemented in the Python and used as a default. It detects the structure in the primes exploited by the factorizing algorithm.

Currently the tool supports the following key formats:

  • X509 Certificate, DER encoded, one per file, *.der, *.crt
  • X509 Certificate, PEM encoded, more per file, *.pem
  • X509 Certificate Signing Request, PEM encoded, more per file, *.pem
  • RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header -----BEGIN RSA...)
  • SSH public key, *.pub, starting with "ssh-rsa", one per line
  • ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header -----BEGIN PGP...
  • APK android application, *.apk
  • one modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded number
  • JSON file with moduli, one record per line, record with modulus has key "mod" (int, base64, hex, dec encoding supported) certificate(s) with key "cert" / array of certificates with key "certs" are supported, base64 encoded DER.
  • LDIFF file - LDAP database dump. Any field ending with ;binary:: is attempted to decode as X509 certificate
  • Java Key Store file (JKS). Tries empty password & some common, specify more with --jks-pass-file
  • PKCS7 signature with user certificate

The detection tool is intentionally one-file implementation for easy integration / manipulation.

False positive

False positive detection rates:

  • Moduli detector: 2^-27
  • Discrete logarithm detector: 2^-154

Discrete logarithm detector is implemented only in the Python code, used as the default detection method.

Java and C# code ports are unmaintained since the original publication and we don't plan to upgrade these detectors to the more precise method. However PR are welcome!

Online checker

https://keychest.net/roca

The online checker is using the discrete logarithm detector algorithm.

Install with pip

Install the detector library + tool with pip (installs all dependencies):

pip install roca-detect

Local install

Execute in the root folder of the package:

pip install --upgrade --find-links=. .

Dependencies

It may be required to install additional dependencies so pip can install e.g. cryptography package.

CentOS / RHEL:

sudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialog

Ubuntu:

sudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swig

Usage

To print the basic usage:

# If installed with pip / manually
roca-detect --help

# Without installation (can miss dependencies)
python roca/detect.py

The testing tool accepts multiple file names / directories as the input argument. It returns the report showing how many files has been fingerprinted (and which are those).

Example (no vulnerabilities found):

Running recursively on all my SSH keys and known_hosts:

$> roca-detect ~/.ssh
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)
2017-10-16 13:39:21 [51272] INFO ################################

Example (vulnerabilities found):

Running recursively on all my SSH keys and known_hosts:

$> roca-detect ~/.ssh
<b>2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate</b>
...
2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
2017-10-16 13:39:21 [51272] INFO Records tested: 92
2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
2017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 1
2017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability
2017-10-16 13:39:21 [51272] INFO ################################

PGP key

In order to test your PGP key you can export it from your email client or download it from the PGP key server such as https://pgp.mit.edu/

You can also use gpg command line utility to export your public key:

gpg --armor --export [email protected] > mykey.asc

Advanced use case

Detection tool extracts information about the key which can be displayed:

roca-detect.py --dump --flatten --indent  ~/.ssh/

TLS/SSL detection

The roca-detect-tls detects certificates from remote TLS/SSL ports. Provide a file with a newline-delimited list of address:port entries and use that file as input.

Example file: tls_list.txt

github.com:443
google.com:443
internal.example.com:8080

Then run:

roca-detect-tls tls_list.txt

Fake moduli

It is possible to generate moduli that passes the moduli fingerprinting test but actually do not contain structure the factorization algorithm is using. Dlog moduli test do not mark those as positive.

Advanced installation methods

Virtual environment

It is usually recommended to create a new python virtual environment for the project:

virtualenv ~/pyenv
source ~/pyenv/bin/activate
pip install --upgrade pip
pip install --upgrade --find-links=. .

Separate Python 2.7.13

We tested tool with Python 2.7.13 and it works (see Travis for more info). We have reports saying lower versions (<=2.6) do not work properly so we highly recommend using up to date Python 2.7

Use pyenv to install a new Python version locally if you cannot / don't want to update system Python.

It internally downloads Python sources and installs it to ~/.pyenv.

git clone https://github.com/pyenv/pyenv.git ~/.pyenv
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
exec $SHELL
pyenv install 2.7.13
pyenv local 2.7.13

Python 3

Detection tools works also with Python 3.4+

Docker container

Run via Docker container to avoid environment inconsistency. Dockerfile source can be audited at https://hub.docker.com/r/unnawut/roca-detect/.

docker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect

Make sure to use --rm and --network none flags to disable container's network connection and delete the container after running.

Licensing

Code is licensed under permissive MIT license.

As there were requests on dual licensing under Apache 2.0 license (due to some doubts on compatibility) we are licensing the code also under Apache 2.0 license.

Pick license that suits you better, either MIT or Apache 2.0.

Language ports

This section contains links to different GIT repositories with language ports

More Repositories

1

javacard-curated-list

Curated list of open-source Java Card applets and related applications for cryptographic smartcards
407
star
2

JCAlgTest

Automated testing tool for algorithms from JavaCard API supported by particular smart card. Performance testing of almost all available methods. The results for more than 100+ cards.
Java
101
star
3

ECTester

Tests support and behavior of elliptic curve cryptography implementations on JavaCards (TYPE_EC_FP and TYPE_EC_F2M) and in selected software libraries.
Java
62
star
4

APDUPlay

PC/SC inspection and manipulation tool
C++
59
star
5

cm_factorization

Complex multiplication based factorization
Jupyter Notebook
35
star
6

minerva

Artifacts for the "Minerva: The curse of ECDSA nonces" paper at CHES 2020
Python
27
star
7

open-source-development-course

Open Source Development Course
24
star
8

javacard-gradle-template-edu

JavaCard project template for building CAP and running JCardSim with gradle + coverage
Java
19
star
9

usable-cert-validation

Research initiative to make TLS certificate validation usable.
Java
19
star
10

randomness-testing-toolkit

Randomness testing toolkit automates running and evaluating statistical testing batteries
C++
17
star
11

DiSSECT

Distinguisher of Standard & Simulated Elliptic Curves via Traits.
Python
14
star
12

sec-certs

Tool for analysis of security certificates and their security targets (Common Criteria, NIST FIPS140-2...).
Jupyter Notebook
13
star
13

CryptoStreams

Tool for generation of data from cryptoprimitives (block and stream ciphers, hash functions). Cryptoprimitives are round-reduced and the data can be configured for multiple testing scenarios.
C
13
star
14

classifyRSAkey

Java
13
star
15

OptimizedJCAlgs

Collection of open-source JavaCard crypto algorithms. Optimized for memory and speed with unified interface
Java
12
star
16

eacirc

Automatic problem solver based on circuit-like representation and genetic programming
C++
12
star
17

ct-tools

A repository of tools for verifying constant-timeness
Shell
11
star
18

meesign-client

Dart
8
star
19

meesign-server

Rust
7
star
20

ddos-vault

Collection of samples, attack tools and support files for experimenting with Denial-of-Service attacks.
AutoHotkey
7
star
21

efd

An export of the Explicit-Formulas Database.
7
star
22

smpc-implementations

Documents and codes relevant for practical secure multi-party implementation of crypto algorithms (RSA, ECDSA)
6
star
23

tpm2-algtest

A tool for testing and measuring TPM 2.0 crypto functionality.
C
6
star
24

rtt-statistical-batteries

Set of statistical batteries used by randomness-testing-toolkit.
C
5
star
25

JCAppStore

Java
5
star
26

PowerTraceSimulator

Simulator and processor of power traces in the domain of cryptographic smart cards. Tools for performing Simple Power Analysis and Differential Power Analysis including preprocessing.
C++
5
star
27

RSABias

Python tool for black-box analysis of RSA key generation in cryptographic libraries and for RSA key classification.
Python
5
star
28

SPA-Cryptographic-Operations-Extractor

Program to extract cryptographic operations from power traces.
Java
5
star
29

JCFROST

JavaCard implementation of FROST threshold signature scheme relying only on public JavaCard API.
Java
4
star
30

Arduino_EntropyAssesment

Implementation of NIST Entropy assesment tests as specified in SP800-90B in form of Arduino library.
C++
4
star
31

SPA-JavaCard-Applet

JavaCard test applet with cryptographic operations like AES encryption, DES encryption, RSA or ECC key generation or data signing...
Java
4
star
32

scrutiny

An automated toolkit to analyze secure hardware, and build user-verifiable hardware profiles. SCRUTINY provides high-level frameworks to verify profiles against reference and produce detailed HTML reports. For now, SCRUTINY is capable of Java Card analysis and verification.
Python
4
star
33

git-ci-demo

The demo integration of GitHub and TravicCI.
C++
4
star
34

coinjoin-emulator

Python
3
star
35

CryptoStreams_CAESAR

CAESAR (Competition for Authenticated Encryption) candidates for CryptoStreams project
C++
3
star
36

pd

BoolTest paper related tools, random number generators, references
C
3
star
37

GANet

The GANet project provides possibility to setup virtual image with target application, which is then tested by the attacks generated using genetic programming.
Python
3
star
38

APDULogger

Logging setup for analysis of APDU commands exchanged between blackbox terminal and blackbox smarcard
Java
3
star
39

acsac2017-data-tools

ACSAC 2017 paper - dataset tools
Python
3
star
40

fooling-primality-tests

Artifacts for the "Fooling primality tests on smartcards" paper at ESORICS 2020
Java
3
star
41

cevast

CEVAST: SSL Certificate Validation and Statistics tool
Python
3
star
42

JCMemProfiler

RAM and EEPROM memory profiling tool for JavaCard platform
3
star
43

opal-toolset

A set of tools for managing and analysing Opal devices.
C
3
star
44

acsac2017-certificate-transparency-java

Java
2
star
45

Whitebox-crypto-HMAC

2
star
46

eacirc-utils

Utils for experiment creation and result postprocessing
Python
2
star
47

pi-apdu-logger

Passive ISO7816 APDU logger for Raspberry Pi
C++
2
star
48

rtt-deployment

Set of scripts automating deployment of randomness-testing-toolkit on remote servers.
Python
2
star
49

eacirc-core

C++
2
star
50

scrutiny-power-traces-analyzer

SCRUTINY power traces analyzing module
Java
2
star
51

DDoSaaS_Research

Research information about DDoSaaS providers
2
star
52

Arduino_IoT_Demo

C++
2
star
53

WSNProtectLayer

TinyOS layer for configurable protection of message privacy and intrusion detection
nesC
2
star
54

WSNProtectLayer_Arduino

C++
1
star
55

bitcoin-keys-analysis

A set of tools for extraction and analysis of Bitcoin ECDSA and Schnorr keys
Python
1
star
56

biometrics-utils

Utilities for assignments on biometric authentication
Python
1
star
57

GetKeysFromOpenSSL

Attempts to retrieve RSA keys from as many OpenSSL versions as possible
C
1
star
58

Edu-hoc

Experimental and educational platform for wireless ad-hoc networking
Arduino
1
star
59

sec_amplif

nesC
1
star
60

jcalgtest_results

Datasets with results collected from JCAlgTest benchmarking tool
HTML
1
star
61

RTTWebInterface

Web interface for Randomness Testing Toolkit.
Python
1
star
62

tls-warning-collector

Automated tool for collecting screenshots of browser SSL/TLS warnings
Python
1
star
63

oneclick

C++
1
star
64

JeeTool

Arduino WSN network management tool
Java
1
star
65

SHINE

Java
1
star
66

Researchers_Night_Game

nesC
1
star
67

SHINE-mediator

Rust
1
star
68

DiSSECT-gen

Python
1
star
69

bitcoin-keys-analysis-results-

Results collected by https://github.com/crocs-muni/bitcoin-keys-analysis repository
1
star
70

data-generation

data generation of the given form
Python
1
star
71

formula-for-disaster

Artifacts for the "A formula for disaster: a unified approach to elliptic curve special-point-based attacks" paper at ASIACRYPT 2021
Python
1
star