Stories
Slash Boxes
Comments

SoylentNews is people

Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

posted by takyon on Wednesday October 18 2017, @12:00PM   Printer-friendly
from the really-secure-amirite? dept.

Fnord666 writes:

A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a private key just by having a target's public key.

Security experts say the bug has been present since 2012 and found specifically in the Infineon's Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

The vulnerability allows for a remote attacker to compute an RSA private key from the value of a public key. The private key can then be misused for purposes of impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks, according to researchers.

The Infineon flaw is tied to a faulty design of Infineon's Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.

Source: https://threatpost.com/factorization-flaw-in-tpm-chips-makes-attacks-on-rsa-private-keys-feasible/128474/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by ElizabethGreene on Wednesday October 18 2017, @03:27PM (1 child)

    by ElizabethGreene (6748) Subscriber Badge on Wednesday October 18 2017, @03:27PM (#583978) Journal

    It takes more than just updates to address this issue. The infeon chip's firmware needs to be updated (not a Microsoft update), and then you have to wipe and re-generate the keys stored in the TPM

    Why is this a big deal?

    Your Bitlocker (disk encryption) keys are stored in the TPM.
    On a CA, the signing keys can (and should) be stored in the TPM.
    On a system with CredentialGuard, the hypervisor keys are stored in the TPM.
    On a system with a virtual smartcard, the keys are in the TPM.

    It's a big freaking deal, and not enough people are paying attention to it.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012 [microsoft.com]

    Here's the kicker. If you are using the TPM in another operating system then you have a problem too. It looks like libengine-tpm-openssl is now abandonware. What is a good way to reach out to the people using it and tell them they have a problem?

    Starting Score:    1  point
    Moderation   +4  
       Informative=4, Total=4
    Extra 'Informative' Modifier   0  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Wednesday October 18 2017, @11:10PM

    by Anonymous Coward on Wednesday October 18 2017, @11:10PM (#584235)

    yes, its a big deal

    the people most interested in securing themselves grumbled and have begun what is necessary--as you listed...

    everyone else doesnt care or refuses to be inconvenienced. which really is what got us into many of the security problems to begin with.