Versasec Announces Plan to Protect Clients from ROCA

By | November 18, 2017

New York, NY, November 18, 2017 –(PR.com)– Versasec, the leader in smart card and virtual smart card management systems, today announced simple steps its clients can take to understand their ROCA vulnerability. The Return of Coppersmith’s Attack (ROCA), designates an updated version of an old attack that exposes the vulnerabilities of weak RSA keys. The attack is named after mathematician and cryptographer Don Coppersmith who helped design the Data Encryption Standard block cipher at IBM.

Today, ROCA involves a flaw that was discovered in a software library used by Infineon Technologies AG Trusted Platform Modules (TPMs), Smart Cards and Secure Elements (SEs) to generate RSA private keys. The flaw’s impact is that it takes significantly less work than previously thought to determine an RSA private key from its public counterpart, making attacks feasible against data and services protected by those keys. The flaw is not known to affect other types of keys generated by Infineon chips.

“We realize many Versasec customers may be impacted by ROCA when using Infineon hardware as they open themselves up to the risk of ROCA because their keys may be weak,” said Joakim Thorén, CEO of Versasec. “Although this is strictly a hardware situation and has no impact on our vSEC:CMS solution, Versasec is fully aware of the smart card and virtual smart card vulnerability and we’ve made a tool available to test for smart card vulnerabilities to ROCA.”

Many security solutions rely on the TPM from Infineon Technologies AG, which is used in the on-board key generation process. Here’s why ROCA is a problem: The Infineon RSA library 1.02.013 in Infineon firmware mishandles RSA key generation so the hacker needs only knowledge of a public key rather than physical access to the device. All RSA keys generated by a vulnerable chip are impacted, which makes it much easier for attackers to defeat some of the cryptographic protection mechanisms through targeted ROCA attacks.

Patches to the hack are available through vendors including Infineon, Google and Microsoft. One of the issues is that for some hardware, there is no way to patch or update the software. The only solution is to either replace or update the chips or cards or re-generate the keys outside of the device and load them onto the device. Companies can identify whether their devices such as virtual and physical smart cards and USB tokens are vulnerable to the ROCA issue through the Versasec Smart Card ROCA Test. The software tool is available for download at https://versasec.com/registration.php.

For physical and virtual tokens that are susceptible to ROCA, Versasec is providing step-by-step instructions to help its customers mitigate the vulnerability at the address listed above. Versasec’s support team also is available to assist any customers impacted by ROCA. Those interested in learning more about Versasec or downloading an evaluation copy of vSEC:CMS are invited to visit the Versasec web site at https://versasec.com.

About Versasec
Versasec is the leading provider of state-of-the-art, highly secure identity and access management solutions. With its flagship product, vSEC:CMS, Versasec eases the deployment of physical and virtual smart cards for enterprises of any size. Versasec’s solutions enable its customers to securely authenticate, issue and manage user credentials more cost effectively than other solutions on the market.

Versasec maintains its mission of providing solutions that are affordable and easy to integrate, coupled with first-class support, maintenance, and training. Versasec customers include HSBC, Tieto, Raiffeisenbank, Hornbach, Daimler, Alstom, European Commission, Qualcomm, eBay, Saudi Aramco, IMF, L’Oreal and Cleveland Clinic Abu Dhabi. Versasec has offices in Sweden, New York, Redwood City, Dubai, the United Kingdom, France and Germany.

Versasec’s products and services can be purchased and delivered worldwide through an extensive reseller network and via the Versasec web site: https://versasec.com. Follow us on Twitter (@versasec), LinkedIn (@versasec) and Facebook (@versasec).

Related posts: