ROCA Vulnerability Statement

ROCA Vulnerability Statement

October 2017, Thu 19

Ultra AEP, part of Ultra Communication & Integrated Systems, would like to reassure Keyper Plus customers that the recently publicised encryption key vulnerability does not affect the Keyper platform.  

Full details of the ROCA vulnerability will be announced in early November, however as described under CVE-2017-15361 in the National Vulnerability Database, it is currently reported to only affect the Infineon range of products. Ultra AEP's Keyper Plus does not contain the affected hardware including TPMs nor does it use the associated software libraries.  

The information released so far indicates the issue is within the "Fast Prime" method used to generate RSA key pairs. The Keyper Plus does not use Fast Prime for key generation and instead uses a FIPS 186-2 compliant full entropy hardware random number generator.

Ultra has thoroughly tested a range of certificates generated by Keyper Plus to verify that the vulnerability is not present on the Keyper platform.  Ultra encourages any customers who remain concerned to verify their public keys using the online tools produced by the researchers on the following url:  https://keychest.net/roca

Ultra will continue to monitor the situation as further details emerge. 
 
For any queries, please contact CIS.Marketing@ultra-cis.com