The vulnerability arises from an approach to RSA key generation used in vulnerable versions of the software library RSALib provided by Infineon Technologies and incorporated into many smart cards, Trusted Platform Modules (TPM), and Hardware Security Modules (HSM), including YubiKey 4 tokens when used to generate RSA keys on-chip for OpenPGP or PIV.
[2] RSA keys of lengths 512, 1024, and 2048 bits generated using these versions of the Infineon library are vulnerable to a practical ROCA attack.
[3][4] The research team that discovered the attack (all with Masaryk University and led by Matúš Nemec and Marek Sýs)[3] estimate that it affected around one-quarter of all current TPM devices globally.
[1] The team informed Infineon of the RSALib problem in February 2017, but withheld public notice until mid-October, citing responsible disclosure.
[3] Generating an RSA key involves selecting two large randomly-generated prime numbers, a process that can be time-consuming, particularly on small devices, such as smart cards.
The vulnerable RSALib selection process quickly creates primes of the desired type by only testing for primality numbers of the form: where
Computing discrete logarithms in a large group is usually extremely difficult, but in this case it can be done efficiently using the Pohlig–Hellman algorithm because
[13]: Sec 6.7.5 In Estonia, the discovery of the vulnerability resulted in a state-level cyber crisis as the vulnerable smart card chip was deployed on more than 750,000 Estonian identity cards that are used daily by Estonian residents and e-residents to securely authenticate online and create digital signatures.