Overclock.net banner

[HardOCP] Cryptographic Flaw Within Infineon TPM Chips Announced

2K views 17 replies 13 participants last post by  Causality1978 
#1 ·
Quote:
Some of the biggest tech giants in the industry are warning customers of a very serious vulnerability affecting TPM chips produced by Infineon Technologies. The vulnerability itself is created by a flaw in the Trusted Platform Module (TPM), which is designed to protect cryptographic devices within integrated hardware. Protections provided by the TPM include : encrypted key storage, certificates, sensitive data, disk encryption, passwords, authentication tokens, S-MIME/PGP email encryption, and more. TPM provides these protections on the hardware level.
Source.

Today seems like (in)security day.

Affected vendors for the time being: Asus, Acer, Lenovo, HP, Toshiba, Samsung, LG, Chromebook.
 
#7 ·
It's a serious vulnerability, but it's only applicable in a very targeted scenario because the factorization requires a very large amount of calculation time. It does seem to have enough hallmarks to look like a subtle enough compromise for state actors, but this will take a substantial period of time on a massive supercomputer to factor, so I don't think you need to be *too* worried about big brother just yet.

Best practice for the last 2 years has already been to generate RSA keys at 4096 bits anyway, which is still computationally infeasible even with this vulnerability.
 
#8 ·
Quote:
Originally Posted by Avonosac View Post

It's a serious vulnerability, but it's only applicable in a very targeted scenario because the factorization requires a very large amount of calculation time. It does seem to have enough hallmarks to look like a subtle enough compromise for state actors, but this will take a substantial period of time on a massive supercomputer to factor, so I don't think you need to be *too* worried about big brother just yet.

Best practice for the last 2 years has already been to generate RSA keys at 4096 bits anyway, which is still computationally infeasible even with this vulnerability.
Plus, let's be realistic here...for 98% of us here, Big Brother doesn't care. Not that it's an excuse...just that it's highly unlikely that anyone here bar a few black hats will even show up as 1/10 of a blip on their "big baddie" radar so getting paranoid about it is kind of silly, though objecting to it is not.
 
#9 ·
Quote:
Originally Posted by DIYDeath View Post

Plus, let's be realistic here...for 98% of us here, Big Brother doesn't care. Not that it's an excuse...just that it's highly unlikely that anyone here bar a few black hats will even show up as 1/10 of a blip on their "big baddie" radar so getting paranoid about it is kind of silly, though objecting to it is not.
Very dangerous slippery slope you just willfully stepped onto. Allowing any normalization of this would only serve to establish a precedent for further surveillance.
 
#10 ·
Quote:
Originally Posted by tpi2007 View Post

Source.

Today seems like (in)security day.

Affected vendors for the time being: Asus, Acer, Lenovo, HP, Toshiba, Samsung, LG, Chromebook.
I will add some more info.

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

2048bit keys are used on eID cards in Slovak republic, and certificates were generated by affected TPM Infineon chips too. In our country are ID cards mandatory, and may contain chip with certificates based on 2048bit RSA key, which might be vulnerable. ID cards and eID certificates are generated by the local police. Those are used to communicate electronically and are used as "electronic signature" to communicate with various government bureaus. If exposed those can lead to identity theft.

Minister of Interior - Robert Kalinak - is still quite sure about safety of the keys, because the study above tells it will take 140 years to compute the private key out of public key. It can take much less time (paralel computing, usage of mutltiple GPUs with high Doubleprecision etc). Could be as few as 30 or less days.

Translation from interview:
Minister Kalinak: "In this case its a potential threat, in case you have to use a brutal computational power, just to attempt to hack the signature, and main problem is in two cases. First you need to get it (the electronic signature - public key), so then you can attack it somehow, because thats not a publicly accessible thing (actually it is).

Journalist: "But the public keys are public"

Minister: "So can you find mine on the Internet"

And there is one catch... Of course trying to get the private key itself would be a crime.

Challenge was accepted:
https://hacktrophy.com/verejna-vyzva-kalinaka-prijata/

Page is in slovak, I will notify the author to make translation.
 
  • Rep+
Reactions: f1LL
#11 ·
Quote:
Originally Posted by JackCY View Post

Trusted Platform Module? More like Trusted Backdoor Module. Aka yet another spy chip.
IME, PSP, TPM, I don't care what it is, the only purpose of it is allowing access to the overlords.
Yes, the cryptographic coprocessor is definitely a backdoor.
rolleyes.gif


Quote:
Originally Posted by DIYDeath View Post

Plus, let's be realistic here...for 98% of us here, Big Brother doesn't care. Not that it's an excuse...just that it's highly unlikely that anyone here bar a few black hats will even show up as 1/10 of a blip on their "big baddie" radar so getting paranoid about it is kind of silly, though objecting to it is not.
The best way to stay off the grid isn't to try to hide everything you do, but to flood the system with so much noise that no usable information can be found.

Also, it's funnier that way.
thumb.gif
 
#14 ·
Hello.

One update. Slovak Government temporarily stopped new eID signature generation, and all e-government services which were using electronic signature
smile.gif
.

Services will be off for 7 weeks, and old keys will be renewed with special application.
 
#16 ·
Quote:
Originally Posted by Avonosac View Post

Great news, really glad to hear it will be resolved. It will certainly be a painful 7 weeks, but this is certainly better than the alternative!
Alternatives?

In theory you could become a proud owner of a castle right in Carpathian Mountains in central Slovakia... Assuming you had the right signature "D

Vampires not included.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top