[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security advisory for YubiKey 4: RSA generation broken


Recently a vulnerability in a firmware library used by multiple
hardware vendors has been discovered. This vulnerability makes RSA keys
generated on those hardware chips much easier to factorize. One of the
devices affected is the YubiKey 4 family dongle (YubiKey 4, 4 Nano and

Advisory of YubiCo (the vendor of YubiKey 4):

YubiKey NEO is _not_ affected. (That was the last open dongle sold by

Newer devices are also not affected because the flaw has been fixed.
Firmware versions 4.3.5 and higher are not affected according to the
advisory. (Shipped after June 2017.) These devices do _not_ support
firmware updates, but YubiCo apparently has a replacement program in
place. (See their website.)

I do own a YubiKey 4 myself, and luckily I am not affected, as I have
generated all of my keys on a computer with GnuPG and have only
transferred them to the device. (I rightfully didn't fully trust the
device for the purpose of key generation.) But other people might have
generated their private keys on the device itself.

People who have done so should revoke the affected keys.and generate
new private keys on a computer before transferring them to the device.
If only subkeys are stored on the dongle this is a relatively minor
inconvenience. If master keys have been generated on the device itself
the entire web of trust needs to be rebuilt, unfortunately.

The vulnerability in the underlying library has been discussed here:

RSA2048 keys generated on such devices should be considered broken
_today_. RSA3072 and RSA4096 keys generated on those devices are still
impractical to break at the moment, but this may change very soon.

Important: this vulnerability implies that any message encrypted to a
PGP key generated on a vulnerable device can be decrypted with a
moderate amount of resources! Affected users should no longer assume
that their PGP-encrypted correspondence is private.

Unfortunately, as far as I understand it, there's no easy method for
detecting these kinds of broken keys without actually attempting to
factorize them - and while that's feasible (hence the vulnerability)
it is still quite expensive - so there is currently no easy method of
scanning through the Debian keyring for affected keys.


Reply to: