Security advisory for YubiKey 4: RSA generation broken

To: debian-project@lists.debian.org
Cc: keyring-maint@debian.org
Subject: Security advisory for YubiKey 4: RSA generation broken
From: Christian Seiler <christian@iwakd.de>
Date: Mon, 16 Oct 2017 21:06:20 +0200
Message-id: <[🔎] 16f69a34-1ea6-81df-c47d-1920128b3a97@iwakd.de>

Hi,

Recently a vulnerability in a firmware library used by multiple
hardware vendors has been discovered. This vulnerability makes RSA keys
generated on those hardware chips much easier to factorize. One of the
devices affected is the YubiKey 4 family dongle (YubiKey 4, 4 Nano and
4C).

Advisory of YubiCo (the vendor of YubiKey 4):
https://www.yubico.com/2017/10/infineon-rsa-key-generation-issue/
https://www.yubico.com/keycheck/

YubiKey NEO is _not_ affected. (That was the last open dongle sold by
YubiCo.)

Newer devices are also not affected because the flaw has been fixed.
Firmware versions 4.3.5 and higher are not affected according to the
advisory. (Shipped after June 2017.) These devices do _not_ support
firmware updates, but YubiCo apparently has a replacement program in
place. (See their website.)

I do own a YubiKey 4 myself, and luckily I am not affected, as I have
generated all of my keys on a computer with GnuPG and have only
transferred them to the device. (I rightfully didn't fully trust the
device for the purpose of key generation.) But other people might have
generated their private keys on the device itself.

People who have done so should revoke the affected keys.and generate
new private keys on a computer before transferring them to the device.
If only subkeys are stored on the dongle this is a relatively minor
inconvenience. If master keys have been generated on the device itself
the entire web of trust needs to be rebuilt, unfortunately.

The vulnerability in the underlying library has been discussed here:
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

RSA2048 keys generated on such devices should be considered broken
_today_. RSA3072 and RSA4096 keys generated on those devices are still
impractical to break at the moment, but this may change very soon.

Important: this vulnerability implies that any message encrypted to a
PGP key generated on a vulnerable device can be decrypted with a
moderate amount of resources! Affected users should no longer assume
that their PGP-encrypted correspondence is private.

Unfortunately, as far as I understand it, there's no easy method for
detecting these kinds of broken keys without actually attempting to
factorize them - and while that's feasible (hence the vulnerability)
it is still quite expensive - so there is currently no easy method of
scanning through the Debian keyring for affected keys.

Regards,
Christian

Reply to:

Follow-Ups:
- Re: Security advisory for YubiKey 4: RSA generation broken
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Security advisory for YubiKey 4: RSA generation broken
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: Security advisory for YubiKey 4: RSA generation broken
  - From: NIIBE Yutaka <gniibe@fsij.org>

Prev by Date: Re: The Debian Trademark
Next by Date: Re: Security advisory for YubiKey 4: RSA generation broken
Previous by thread: Re: The Debian Trademark
Next by thread: Re: Security advisory for YubiKey 4: RSA generation broken
Index(es):
- Date
- Thread