Re: Get your free Yubikey sponsored by Infomaniak (available for free for any DD and DM)
On Sat, Apr 21, 2018 at 05:42:06AM +0200, Stéphane Glondu wrote:
> On 17/04/2018 13:44, Thomas Goirand wrote:
> > In fact, I was mistaking. The reason why we are renewing subkeys, is
> > because some were generated using the Yubikey, which happens to have a
> > security hole. For others, we are simply extending the expiration date,
> > which is what most people do.
>
> What security hole?
Qouting https://en.wikipedia.org/wiki/YubiKey#Security-concerns_YubiKey_4_(closed-source_code)
Yubico has replaced all open-source components in YubiKey 4 with
closed-source code, which can no longer be independently reviewed for
security flaws. Yubico states that internal and external review of
their code is done. Yubikey NEOs are still using open-source code. On
May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source
community's concerns with a blog post affirming the company's strong
open source support and addressing the reasons and benefits of updates
to the YubiKey 4.
In October 2017, security researchers found a vulnerability (known as
ROCA) in the implementation of RSA keypair generation in a cryptographic
library used by a large number of Infineon security chips. The
vulnerability allows an attacker to reconstruct the private key by using
the public key. All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within
the revisions 4.2.6 to 4.3.4 are affected by this vulnerability. Yubico
publicized a tool to check if a Yubikey is affected and replaced affected
tokens for free.
Qouting https://en.wikipedia.org/wiki/ROCA_vulnerability
The ROCA vulnerability is a cryptographic weakness that allows the
private key of a key pair to be recovered from the public key in keys
generated by devices with the vulnerability. "ROCA" is an acronym for
"Return of the Coppersmith Attack". The vulnerability has been given
the identifier CVE-2017-15361.
Groeten
Geert Stappers
--
Leven en laten leven
Reply to: