SecurEnvoy products not affected by “ROCA” vulnerabilitySESadmin 20/10/2017 Product Updates
The RSA (Rivest–Shamir–Adleman), is one of the first practical public-key cryptosystems and is widely used for secure data transmission in today’s IT security. It is an asymmetric system which uses a pair of keys, one used for encryption shared with the party wanting to encrypt something (known as the public key), the other part of the key pair used to decrypt the data (known as the private key).
The key generation mathematics behind this cryptosystem relies on two large prime numbers which are used to generate the keys. The security is based on the practical difficulty to factorise the product into its two prime numbers again, making this a one-directional function.
A recent vulnerability was found by security researchers within certain implementations of a key generation library, making it possible to identify the private key of an RSA key pair much quicker and with less investments than would usually be necessary to crack the key.
According to researchers, the vulnerability (called “ROCA”) has been found in certain security controllers used in smartcards, TPMs (Trusted Platform Module) and other devices like electronic passports.
RSA keys embedded in certificates are also used in PKI based authentication systems so it is sometimes wrongly assumed that all authentication systems are affected.
SecurEnvoy do not use RSA keys or certificates in its OTP (one time password) based system to authenticate and users of SecurAccess do not need to take any direct measures towards the SecurEnvoy product to protect themselves against this vulnerability.
SecurEnvoy policy recommends that any software infrastructure directly or indirectly used alongside SecurAccess is up to date and equipped with the latest updates.