A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a private key just by having a target's public key.
Security experts say the bug has been present since 2012 and found specifically in the Infineon's Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.
The vulnerability allows for a remote attacker to compute an RSA private key from the value of a public key. The private key can then be misused for purposes of impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks, according to researchers.
The Infineon flaw is tied to a faulty design of Infineon's Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.
(Score: 2) by frojack on Wednesday October 18 2017, @07:19PM
Verification might have been costly, but so was developing the chip.
And none of that was necessary. Linux has a driver for TPM, but its not installed by default on most distros, isn't even feature complete, and even when installed you have to go out of your way to turn it on.
Clearly there are software ways to accomplish what this chip purports to do.
It seems to have arisen in response to the need to store the UEFI credentials. But many machines lack this chipset completely.
No, you are mistaken. I've always had this sig.