Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Yubico to replace vulnerable YubiKey FIPS security keys

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 14 Jun 2019 06:59:44 +0000 (UTC)
https://www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/

By Catalin Cimpanu
Zero Day
ZDNet News
June 13, 2019
Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices.
Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). 


BOOT-UP BUG TEMPORARILY REDUCES CRYPTO KEY RANDOMNESS
According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.
This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. 

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: