Nitrokey is NOT Affected by ROCA Vulnerability
Researchers discovered the ROCA vulnerability (CVE-2017-15361) which enables attackers to compute their victim's private RSA keys with little effort. Affected are RSA keys being generated in various hardware systems which contain the vulnerable chip from Infineon Technologies, such as computers with a Trusted Platform Module (TPM), smart cards and USB dongles. Some affected vendors are HP, Fujitsu, Google, Lenovo, Toshiba, Samsung, Acer, LG, Gemalto and Yubico.
Users of Nitrokey can relax because Nitrokey is not affected by this vulnerability. We don't use components from Infineon Technologies. Instead we use NXP and our own open source software implementation.
The attacker doesn't require access to the hardware and instead knowledge of the public key is sufficient. If you use a non-Nitrokey product you can check here if your RSA key is affected.
Comments
If I read this correctly, I as a user of Nitrokey I am affected if I created the key pair on a computer with a vulnerable chip and have transferred the key to my Nitrokey. Is that correct?
If you generated a key on a device which is vulnerable to ROCA, you are affected, nomatter where you store the key later on.
Add new comment