Cryptographic Meltdown on Monday

This is such a great start for the week… Not!

WPA2 can be attacked - all platforms are vulnerable. While the 4-way handshake used in WPA2 is mathematically proven to safe software is not safe. KRACK just uses some tricks to void the encryption. Their page explains everything; they even have a FAQ!

My favorite question from the FAQ:

Should I temporarily use WEP until my devices are patched?
NO! Keep using WPA2.

I had just come to terms with the WPA2 disaster when the next bomb dropped: Vulnerabilities in RSA Generation. Since every news on it featured digital passports from Estonia, and to be honest digital passports badly implemented everywhere and people still don’t care, so it shouldn’t be that a big deal.

But upon reading the article the rabbit hole became quite deep: everything that uses a certain version of the Infineon RSA library created keys that are easily factorisable. Oh that library is also used on some cryptography hardware. You wanted to use some hardware so your key is better/safer/etc.? Chances are you might have used that library and have a very weak now. I’ll just refer to Infineon’s page on the TPM update.

EDIT 2016-10-17: Some Yubikeys are affected, too.

Good thing they have a ROCA online test tool that you can use the check your keys.

EDIT 2017-11-08: The situation got even worse.