[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security advisory for YubiKey 4: RSA generation broken


For the particular vulnerability, I don't think Gnuk is affected.

Here are (at least) three different things to discuss; (1) whether or
not key generation on device uses secret parameters, (2) prime number
generation method, and (3) entropy source.

Since key generation takes time and requires larger memory, some devices
use two-phase method; that is, generating partially at factory beforhand
to allow faster generation on device.  Data generated at factory is
considered secret parameters (since it limits the space of key, somehow
significantly), and this could be weakest link.

For Gnuk, it has no secret parameters.

FST-01 shipped from Seeed Studio uses Gnuk 1.0.1.  IIUC, (a version of)
Nitrokey Start also uses Gnuk 1.0.4.  In the release note of Gnuk 1.0.x,
key generation was explained as experimental.  Gnuk 1.0.x uses PolarSSL
0.14's simple prime number generator and random number generator of NeuG
0.01.  The prime number generation is not uniform.  Nevertheless, I
haven't heard of any effective attack to keys generated by such a simple
prime number generator, yet.  I think that NeuG 0.01 is OK.

Gnuk 1.1.0 or later (up to current 1.2.6) uses Fouque Tibouchi method
for prime number generation [0].  This change was intended to minimize
bias.  And it uses newer NeuG, which structure is updated according to
the draft of NIST SP 800-90B.  So, I think that it's safe.

Well, in general, I recommend generating keys on host machine (with
enough entropy), so that user can control well.  For a device with
possible secret parameters (for example, the key generation is too
quick), it is wise to avoid generating on that device.

[0] Close to Uniform Prime Number Generation With Fewer Random Bits
    Pierre-Alain Fouque and Mehdi Tibouchi

# I'm temporarily subscribing this list, so that I can join this
# discussion.  Thanks to Hideki Yamane to inform me.

Reply to: