[TriLUG] Got a Yubikey or a Chromebook? Heads up about ROCA...

Aaron Joyner via TriLUG trilug at trilug.org
Tue Oct 17 08:50:22 EDT 2017


TL;DR: If you have a Chromebook, a Yubikey 4, or other device which uses an
Infineon TPM for hardware encryption, the RSA private keys generated by
that device may be rather easily compromised.

Fixes are rolling out where possible.  For some use cases you may have to
regenerate keypairs and redistribute public keys.  Some devices like the
Yubico 4 can't update this aspect of the software in the TPM by design, and
will have to be replaced.

Here are a few links, ranging from news-y to technical:
https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#501ffe9747c3

https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/

https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background

https://www.yubico.com/support/security-advisories/ysa-2017-01/

October is an "uncomfortably exciting" month, security-wise...
Aaron S. Joyner


More information about the TriLUG mailing list