Collecting some information about the extend and affected products and keys of the Infineon RSA vulnerability (ROCA).
- Official ROCA infos by the bug finders
- Test tool on Github
- Online test
- Information from Infineon
- CVE-2017-15361
- CERT/CC advisory
Estonian eID cards
Slovakian eID cards
- Government announcement in slovakian language( Google translate to English )
- https://ekonomika.sme.sk/c/20674129/cipove-obcianske-maju-vaznu-chybu-podpis-sa-da-ukradnut.html?ref=trz
Yubikeys
This blog post from 2016 is hillarious and argues that certified closed source is more secure than open source:
GPG keys
Vulnerable GPG keys are likely created by Yubikeys.
TPM chips
Various vendors, including Google, Fujitsu, HP, Lenovo. Probably more. This can affect Bitlocker keys (Windows encryption system).
SSH keys
Github found "447 fingerprinted keys, 237 of them factorizable" according to Ars Technica. Likely also generated by Yubikeys.
Electronic signatures / eIDAS
Several German providers of electronic signatures according to the EU eIDAS system have affected keys in their issuing certificates (Telekom, Sparkassenverlag / S-Trust, Bundesdruckerei / D-Trust, Datev, Deutsche Rentenversicherung).
TLS certificates
Not many according to Rob Stradlings tests. No CA certificates.
Gemalto
Information very unclear, no exact information about scale and affected products yet.
Hi, I have updated the info around Gemalto smartcards.
https://dan.enigmabridge.com/roca-vulnerability-impact-on-gemalto-idprime-net-smart-cards/