Xedge>> roca>> 返回
项目作者: crocs-muni

项目描述 :
ROCA: Infineon RSA key vulnerability
高级语言: Python
项目地址: git://github.com/crocs-muni/roca.git
创建时间: 2017-10-13T15:28:41Z
项目社区:https://github.com/crocs-muni/roca
开源协议:MIT License
下载


ROCA detection tool

Build Status

This tool is related to ACM CCS 2017 conference paper #124 Return of the Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli.

It enables you to test public RSA keys for a presence of the described vulnerability.

Update 4.11.2017: Python 2.7, 3.4+ supported.

Update 30.10.2017: The paper of the attack is already online,
ACM version.

Update 30.10.2017: The discrete logarithm detector is now implemented in the Python and used as a default. It detects the structure
in the primes exploited by the factorizing algorithm.

Currently the tool supports the following key formats:

  • X509 Certificate, DER encoded, one per file, *.der, *.crt
  • X509 Certificate, PEM encoded, more per file, *.pem
  • X509 Certificate Signing Request, PEM encoded, more per file, *.pem
  • RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header -----BEGIN RSA...)
  • SSH public key, *.pub, starting with “ssh-rsa”, one per line
  • ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header -----BEGIN PGP...
  • APK android application, *.apk
  • one modulus per line text file *.txt, modulus can be
    a) base64 encoded number, b) hex coded number, c) decimal coded number
  • JSON file with moduli, one record per line, record with modulus has
    key “mod” (int, base64, hex, dec encoding supported)
    certificate(s) with key “cert” / array of certificates with key “certs” are supported, base64 encoded DER.
  • LDIFF file - LDAP database dump. Any field ending with ;binary:: is attempted to decode as X509 certificate
  • Java Key Store file (JKS). Tries empty password & some common, specify more with --jks-pass-file
  • PKCS7 signature with user certificate

The detection tool is intentionally one-file implementation for easy integration / manipulation.

False positive

False positive detection rates:

  • Moduli detector: 2^-27
  • Discrete logarithm detector: 2^-154

Discrete logarithm detector is implemented only in the Python code, used as the default detection method.

Java and C# code ports are unmaintained since the original publication and we don’t plan to upgrade these
detectors to the more precise method. However PR are welcome!

Online checker

https://keychest.net/roca

The online checker is using the discrete logarithm detector algorithm.

Install with pip

Install the detector library + tool with pip (installs all dependencies):

  1. pip install roca-detect

Local install

Execute in the root folder of the package:

  1. pip install --upgrade --find-links=. .

Dependencies

It may be required to install additional dependencies so pip can install e.g. cryptography package.

CentOS / RHEL:

  1. sudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialog

Ubuntu:

  1. sudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swig

Usage

To print the basic usage:

  1. # If installed with pip / manually
  2. roca-detect --help
  4. # Without installation (can miss dependencies)
  5. python roca/detect.py

The testing tool accepts multiple file names / directories as the input argument.
It returns the report showing how many files has been fingerprinted (and which are those).

Example (no vulnerabilities found):

Running recursively on all my SSH keys and known_hosts:

  1. $> roca-detect ~/.ssh
  2. 2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
  3. 2017-10-16 13:39:21 [51272] INFO Records tested: 92
  4. 2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
  5. 2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
  6. 2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
  7. 2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
  8. 2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
  9. 2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
  10. 2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
  11. 2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
  12. 2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
  13. 2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
  14. 2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
  15. 2017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)
  16. 2017-10-16 13:39:21 [51272] INFO ################################

Example (vulnerabilities found):

Running recursively on all my SSH keys and known_hosts:

  1. $> roca-detect ~/.ssh
  2. <b>2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate</b>
  3. ...
  4. 2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################
  5. 2017-10-16 13:39:21 [51272] INFO Records tested: 92
  6. 2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0
  7. 2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0
  8. 2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16
  9. 2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0
  10. 2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0
  11. 2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76
  12. 2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0
  13. 2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0
  14. 2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0
  15. 2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0
  16. 2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0
  17. 2017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 1
  18. 2017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability
  19. 2017-10-16 13:39:21 [51272] INFO ################################

PGP key

In order to test your PGP key you can export it from your email client or download it from the PGP key server such as
https://pgp.mit.edu/

You can also use gpg command line utility to export your public key:

  1. gpg --armor --export your@email.com > mykey.asc

Advanced use case

Detection tool extracts information about the key which can be displayed:

  1. roca-detect.py --dump --flatten --indent  ~/.ssh/

TLS/SSL detection

The roca-detect-tls detects certificates from remote TLS/SSL ports. Provide a file with a newline-delimited list of address:port entries and use that file as input.

Example file: tls_list.txt

  1. github.com:443
  2. google.com:443
  3. internal.example.com:8080

Then run:

roca-detect-tls tls_list.txt

Fake moduli

It is possible to generate moduli that passes the moduli fingerprinting test but actually do not contain structure
the factorization algorithm is using. Dlog moduli test do not mark those as positive.

Advanced installation methods

Virtual environment

It is usually recommended to create a new python virtual environment for the project:

  1. virtualenv ~/pyenv
  2. source ~/pyenv/bin/activate
  3. pip install --upgrade pip
  4. pip install --upgrade --find-links=. .

Separate Python 2.7.13

We tested tool with Python 2.7.13 and it works (see Travis for more info).
We have reports saying lower versions (<=2.6) do not work properly so we highly recommend using up to date Python 2.7

Use pyenv to install a new Python version locally if you cannot / don’t want to update system Python.

It internally downloads Python sources and installs it to ~/.pyenv.

  1. git clone https://github.com/pyenv/pyenv.git ~/.pyenv
  2. echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
  3. echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
  4. echo 'eval "$(pyenv init -)"' >> ~/.bashrc
  5. exec $SHELL
  6. pyenv install 2.7.13
  7. pyenv local 2.7.13

Python 3

Detection tools works also with Python 3.4+

Docker container

Run via Docker container to avoid environment inconsistency. Dockerfile source can be audited at https://hub.docker.com/r/unnawut/roca-detect/.

  1. docker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect

Make sure to use --rm and --network none flags to disable container’s network connection and delete the container after running.

Licensing

Code is licensed under permissive MIT license.

As there were requests on dual licensing under Apache 2.0 license (due to some doubts on compatibility) we are licensing
the code also under Apache 2.0 license.

Pick license that suits you better, either MIT or Apache 2.0.

Language ports

This section contains links to different GIT repositories with language ports