Clicky

20171107

Powershell ROCA test

This Powershell script tests a TPM based Public Key for the ROCA vulenerability (CVE-2017-15361).

Based on: https://github.com/crocs-muni/roca/tree/master/csharp

Prequisites:
- Bouncy Castle crypto DLL (https://www.bouncycastle.org/csharp/index.html).
- Windows 8, 8.1 or 10 OS (e.g. a USB stick with Windows to Go)

The comments below explains how to create a TPM based Public Key file.

--- 8< --------------------
<#
    Date:             5-Nov-2017
    Description:     This script tests if a Public Key is vulnerable for ROCA
                    Use a TPM based CSR or CRT, extract the Public Key and test
    Prerequisite:    Bouncy Castle DLL (http://www.bouncycastle.org/csharp/)
   
>>> Create and extract a Public Key on Windows 8, 8.1 and 10 through a CSR:
(if a PC runs W7 or older or does note even have a hard disk, use Windows-to-Go from USB)

1. Create TPMCSR.inf
    --- 8< -----------------------
    [NewRequest]
    Subject = "E=IFXTPMVSC"
    KeyLength = 2048
    Exportable = FALSE
    UserProtected = FALSE
    MachineKeySet = FALSE
    Providername = "Microsoft Platform Crypto Provider"
    ProviderType = 1
    RequestType = PKCS10
    KeyUsage = 0x80
    KeySpec=1
    --- 8< -----------------------
   
2. Create CSR:
    C:\> certreq -new -f TPMVSC.inf TPMCSR.csr >nul

3. Extract Public Key with OpenSSL:
    openssl.exe req -in TPMCSR.csr -noout -pubkey -out TPMCSR.csr-pubk.pem   
   
4. Configure the filename in this script and run the script
    c:\scripts> powershell -file testROCA.ps1 TPMCSR.csr-pubk.pem   
    Vulnerable: True
   
>>> Using a TPM based certificate:
1. Extract the Public Key with OpenSSL:
    openssl.exe x509 -in TPMCSR.crt -noout -pubkey -out TPMCSR-pubk.pem   
   
2. Configure the filename in this script and run the script
    c:\scripts>powershell -file testROCA.ps1
    Vulnerable: True
   
>>> Example Public Keys:
Vulnerable Pubk:
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQECWSe1K6XmjIySaLuSGPN2
    c2FMplQY9HRbFDzU7lP5SRyaDhwvI6lRYwav+/OGZ7hxvAzILmD1uxqfoVpWcadl
    yfIblYfYARWWQ3Kjg8iDsNy/bHdXBrMer/Pj/UiFWaCM3qIPmpfExZtrio7spFfU
    qCDUlQn3WTNjAryho2kLCAkYEfhY8ujOpaYjVa1uBB0ZNe2lkom1l2g7c+JleudL
    /8dg5NUTzIfbk1WRjqoI05i75faDXchxJSEbmzazoLxwuZOmyz99LLQGHec9uXLJ
    Qq35lVtv5M2Q8A0IiuwErx9e/5HyGvXtRGF8fbgJP5U2bbJlgMSvOZ3rlPmxQTBb
    4QIDAQAB
    -----END PUBLIC KEY-----

NOT vulnerable Pubk:
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2WWdhl/HbBtp6wRGgoO
    wXW4t+8HGS/80fa4VMMneF8af9PbfaRc1KMbKy5c4Ngjpo4oyK3xdHMWvszh/ldo
    BkA5rSBiJgyNGjTgWG3Om8EwkPzJ+4uLLAjtOujWGymBimaWiafZwdqwU7VX+40/
    nET6rT4YxV5zmwDTyRJlWLyOmAzSrzdxJu9bE3QTZ3S4vTcOPBwUnbOVyPmWlrYo
    sQWUb+ogEG/iTRA6wGJmGpJI6MP2KOALMI0zlTqr5VUTLiGOdO9LV4cWtP5880Do
    5gSjGb9umVHhlCYB00KRAy21SZnQnl0Dbd41RK01JWu7l9Xj//04Fmwh6ukZlUiF
    OwIDAQAB
    -----END PUBLIC KEY-----
#>

if ($args.count -ne 1) {
    cls
    write-host "*** Usage: powershell -file testROCA.ps1 {public key file}"
    Break
    }
   
$pubKfile = $args[0]
if (-not (Test-Path $pubKfile)) {
    write-host "*** File not found."
    Break
}
   
add-type -path ".\BouncyCastle.Crypto.dll"

[Org.BouncyCastle.Math.BigInteger[]] $markers = @(
            "6",
            "30",
            "126",
            "1026",
            "5658",
            "107286",
            "199410",
            "8388606",
            "536870910",
            "2147483646",
            "67109890",
            "2199023255550",
            "8796093022206",
            "140737488355326",
            "5310023542746834",
            "576460752303423486",
            "1455791217086302986",
            "147573952589676412926",
            "20052041432995567486",
            "6041388139249378920330",
            "207530445072488465666",
            "9671406556917033397649406",
            "618970019642690137449562110",
            "79228162521181866724264247298",
            "2535301200456458802993406410750",
            "1760368345969468176824550810518",
            "50079290986288516948354744811034",
            "473022961816146413042658758988474",
            "10384593717069655257060992658440190",
            "144390480366845522447407333004847678774",
            "2722258935367507707706996859454145691646",
            "174224571863520493293247799005065324265470",
            "696898287454081973172991196020261297061886",
            "713623846352979940529142984724747568191373310",
            "1800793591454480341970779146165214289059119882",
            "126304807362733370595828809000324029340048915994",
            "11692013098647223345629478661730264157247460343806",
            "187072209578355573530071658587684226515959365500926"
)

[Org.BouncyCastle.Math.BigInteger[]] $primes = @( 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167 )

[System.IO.TextReader] $reader = [System.IO.File]::OpenText($pubKfile)

[Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters] $rsaKeyParameters = [Org.BouncyCastle.OpenSsl.PemReader]::new($reader).ReadObject()

$isVulnerable = $true
for ($i=0; $i -lt $primes.length;$i++)
{
    if ([Org.BouncyCastle.Math.BigInteger]::One.ShiftLeft($rsaKeyParameters.Modulus.Remainder($primes[$i]).IntValue).And($markers[$i]).Equals([Org.BouncyCastle.Math.BigInteger]::Zero))
        {
            $isVulnerable=$false
            break
        }
}

write-host "Vulnerable (
$pubKfile):" $isVulnerable

No comments :

Post a Comment

Real Time Web Analytics