Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday June 18 2019, @04:51AM   Printer-friendly
from the not-so-compliant dept.

Submitted via IRC for SoyCow4463

Some YubiKey FIPS Keys Allow Attackers to Reconstruct Private Keys

Yubico issued a security advisory saying that an issue impacting YubiKey FIPS Series devices (versions 4.4.2 and 4.4.4) reduces the strength of generated RSA keys and ECDSA signatures after power-up.

YubiKey FIPS Series key affected by this issue are the YubiKey FIPS, the YubiKey Nano FIPS, the YubiKey C FIPS, and the YubiKey C Nano FIPS — other Yubico products are not impacted.

According to Yubico's advisory, "random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up."

More to the point, on affected Yubico products, the buffer holding the keys derivation random value used by RSA and ECDSA algorithms contains some predictable data which leads to the value being not as random as expected. This problem occurs only during the YubiKey's power-up.

However, "After the predictable content in the random buffer is consumed, the buffer will be filled with the intended full random number generator output, and all subsequent use of randomness will not be affected."

Yubico discovered the issue internally and fixed it in YubiKey FIPS Series firmware version 4.4.5, which again was certified as FIPS compliant on April 30, 2019.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday June 18 2019, @02:16PM (2 children)

    by Anonymous Coward on Tuesday June 18 2019, @02:16PM (#856990)

    1. Get a lot of people to buy your product
    2. Find a security vulnerability, release a new version with a fix
    3. Everyone has to buy the new version to get the fix.
    4. Repeat every so often.
    5. Profit!!!

  • (Score: 3, Informative) by rigrig on Tuesday June 18 2019, @02:52PM

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Tuesday June 18 2019, @02:52PM (#857003) Homepage

    Except in this case
    3. Everyone has to buy the new version to get the fix.
    3. All affected customers get offered a free replacement.

    --
    No one remembers the singer.
  • (Score: 0) by Anonymous Coward on Tuesday June 18 2019, @03:00PM

    by Anonymous Coward on Tuesday June 18 2019, @03:00PM (#857006)

    Except that they're giving free replacements for the affected hardware.