This Powershell script tests a TPM based Public Key for the ROCA vulenerability (CVE-2017-15361).
Based on: https://github.com/crocs-muni/roca/tree/master/csharp
Prequisites:
- Bouncy Castle crypto DLL (https://www.bouncycastle.org/csharp/index.html).
- Windows 8, 8.1 or 10 OS (e.g. a USB stick with Windows to Go)
The comments below explains how to create a TPM based Public Key file.
--- 8< --------------------
<#
Date: 5-Nov-2017
Description: This script tests if a Public Key is vulnerable for ROCA
Use a TPM based CSR or CRT, extract the Public Key and test
Prerequisite: Bouncy Castle DLL (http://www.bouncycastle.org/csharp/)
>>> Create and extract a Public Key on Windows 8, 8.1 and 10 through a CSR:
(if a PC runs W7 or older or does note even have a hard disk, use Windows-to-Go from USB)
1. Create TPMCSR.inf
--- 8< -----------------------
[NewRequest]
Subject = "E=IFXTPMVSC"
KeyLength = 2048
Exportable = FALSE
UserProtected = FALSE
MachineKeySet = FALSE
Providername = "Microsoft Platform Crypto Provider"
ProviderType = 1
RequestType = PKCS10
KeyUsage = 0x80
KeySpec=1
--- 8< -----------------------
2. Create CSR:
C:\> certreq -new -f TPMVSC.inf TPMCSR.csr >nul
3. Extract Public Key with OpenSSL:
openssl.exe req -in TPMCSR.csr -noout -pubkey -out TPMCSR.csr-pubk.pem
4. Configure the filename in this script and run the script
c:\scripts> powershell -file testROCA.ps1 TPMCSR.csr-pubk.pem
Vulnerable: True
>>> Using a TPM based certificate:
1. Extract the Public Key with OpenSSL:
openssl.exe x509 -in TPMCSR.crt -noout -pubkey -out TPMCSR-pubk.pem
2. Configure the filename in this script and run the script
c:\scripts>powershell -file testROCA.ps1
Vulnerable: True
>>> Example Public Keys:
Vulnerable Pubk:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQECWSe1K6XmjIySaLuSGPN2
c2FMplQY9HRbFDzU7lP5SRyaDhwvI6lRYwav+/OGZ7hxvAzILmD1uxqfoVpWcadl
yfIblYfYARWWQ3Kjg8iDsNy/bHdXBrMer/Pj/UiFWaCM3qIPmpfExZtrio7spFfU
qCDUlQn3WTNjAryho2kLCAkYEfhY8ujOpaYjVa1uBB0ZNe2lkom1l2g7c+JleudL
/8dg5NUTzIfbk1WRjqoI05i75faDXchxJSEbmzazoLxwuZOmyz99LLQGHec9uXLJ
Qq35lVtv5M2Q8A0IiuwErx9e/5HyGvXtRGF8fbgJP5U2bbJlgMSvOZ3rlPmxQTBb
4QIDAQAB
-----END PUBLIC KEY-----
NOT vulnerable Pubk:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2WWdhl/HbBtp6wRGgoO
wXW4t+8HGS/80fa4VMMneF8af9PbfaRc1KMbKy5c4Ngjpo4oyK3xdHMWvszh/ldo
BkA5rSBiJgyNGjTgWG3Om8EwkPzJ+4uLLAjtOujWGymBimaWiafZwdqwU7VX+40/
nET6rT4YxV5zmwDTyRJlWLyOmAzSrzdxJu9bE3QTZ3S4vTcOPBwUnbOVyPmWlrYo
sQWUb+ogEG/iTRA6wGJmGpJI6MP2KOALMI0zlTqr5VUTLiGOdO9LV4cWtP5880Do
5gSjGb9umVHhlCYB00KRAy21SZnQnl0Dbd41RK01JWu7l9Xj//04Fmwh6ukZlUiF
OwIDAQAB
-----END PUBLIC KEY-----
#>
if ($args.count -ne 1) {
cls
write-host "*** Usage: powershell -file testROCA.ps1 {public key file}"
Break
}
$pubKfile = $args[0]
if (-not (Test-Path $pubKfile)) {
write-host "*** File not found."
Break
}
add-type -path ".\BouncyCastle.Crypto.dll"
[Org.BouncyCastle.Math.BigInteger[]] $markers = @(
"6",
"30",
"126",
"1026",
"5658",
"107286",
"199410",
"8388606",
"536870910",
"2147483646",
"67109890",
"2199023255550",
"8796093022206",
"140737488355326",
"5310023542746834",
"576460752303423486",
"1455791217086302986",
"147573952589676412926",
"20052041432995567486",
"6041388139249378920330",
"207530445072488465666",
"9671406556917033397649406",
"618970019642690137449562110",
"79228162521181866724264247298",
"2535301200456458802993406410750",
"1760368345969468176824550810518",
"50079290986288516948354744811034",
"473022961816146413042658758988474",
"10384593717069655257060992658440190",
"144390480366845522447407333004847678774",
"2722258935367507707706996859454145691646",
"174224571863520493293247799005065324265470",
"696898287454081973172991196020261297061886",
"713623846352979940529142984724747568191373310",
"1800793591454480341970779146165214289059119882",
"126304807362733370595828809000324029340048915994",
"11692013098647223345629478661730264157247460343806",
"187072209578355573530071658587684226515959365500926"
)
[Org.BouncyCastle.Math.BigInteger[]] $primes = @( 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167 )
[System.IO.TextReader] $reader = [System.IO.File]::OpenText($pubKfile)
[Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters] $rsaKeyParameters = [Org.BouncyCastle.OpenSsl.PemReader]::new($reader).ReadObject()
$isVulnerable = $true
for ($i=0; $i -lt $primes.length;$i++)
{
if ([Org.BouncyCastle.Math.BigInteger]::One.ShiftLeft($rsaKeyParameters.Modulus.Remainder($primes[$i]).IntValue).And($markers[$i]).Equals([Org.BouncyCastle.Math.BigInteger]::Zero))
{
$isVulnerable=$false
break
}
}
write-host "Vulnerable ($pubKfile):" $isVulnerable
No comments :
Post a Comment