[openssl-users] OpenSSL engine and TPM usage.

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Oct 26 20:34:51 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Michael Richardson
> Sent: Wednesday, October 25, 2017 18:37
> Jakob Bohm <jb-openssl at wisemo.com> wrote:
>     > Please beware that many TPM chips were recently discovered to contain a
>     > broken RSA key generation algorithm, so public/private key pairs keys
>     > to be stored in the TPM should probably be generated off-chip (using
>     > the OpenSSL software key generator) and imported into the chip,
>     > contrary to what would have been best security practice without this
>     > firmware bug.
> wow, further evidence that everything needs an upgrade path.

Specifically, it's devices using Infineon chips. AIUI, that includes most TPMs and many HSMs, but not, for example, the NitroKey HSM.

The researchers who documented the problem, which they've named ROCA, have a site for it:

They aren't describing the exact nature of the issue yet (at least the last I checked), but it has something to do with the RSA primes having a structure that lets attackers greatly speed factoring. I can imagine a number of optimizations if you know enough about the structure of the primes.

They've provided a Python program that can identify problematic keys with high probability, and it's available as a web service, etc. The program doesn't reveal what the mystery structural issues are; it seems to be a Bloom filter that's been trained to identify vulnerable keys (which is pretty interesting in itself).

All that's just based on a pretty cursory look, though, so I may be wrong.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list