Skip to content

Instantly share code, notes, and snippets.

@hannob
Last active October 25, 2020 15:55
Show Gist options
  • Save hannob/ad37d9e9e3cbf3b89bc0a8fc80cb9475 to your computer and use it in GitHub Desktop.
Save hannob/ad37d9e9e3cbf3b89bc0a8fc80cb9475 to your computer and use it in GitHub Desktop.
Affected Products and Keys by Infineon RSA vulnerability

Collecting some information about the extend and affected products and keys of the Infineon RSA vulnerability (ROCA).

Estonian eID cards

Slovakian eID cards

Yubikeys

This blog post from 2016 is hillarious and argues that certified closed source is more secure than open source:

GPG keys

Vulnerable GPG keys are likely created by Yubikeys.

TPM chips

Various vendors, including Google, Fujitsu, HP, Lenovo. Probably more. This can affect Bitlocker keys (Windows encryption system).

SSH keys

Github found "447 fingerprinted keys, 237 of them factorizable" according to Ars Technica. Likely also generated by Yubikeys.

Electronic signatures / eIDAS

Several German providers of electronic signatures according to the EU eIDAS system have affected keys in their issuing certificates (Telekom, Sparkassenverlag / S-Trust, Bundesdruckerei / D-Trust, Datev, Deutsche Rentenversicherung).

TLS certificates

Not many according to Rob Stradlings tests. No CA certificates.

Gemalto

Information very unclear, no exact information about scale and affected products yet.

@dancvrcek
Copy link

@rhowe
Copy link

rhowe commented Oct 20, 2017

Gemalto have published a statement: https://safenet.gemalto.com/technical-support/security-updates/?LangType=1049

Knowledgebase article is restricted to customers only, which is a bit shit

@santiagogf89
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment