YubiKey FIPS Series Vulnerable to Private Key Reconstruction
- Yubico offers replacement keys for the FIPS product series, due to a 'reduced randomness' vulnerability.
- The keys are running some predictable operations during power-up, potentially allowing the partial key reconstruction.
- Still, these keys remain a hard nut to crack, even if their strength is admittedly reduced.
According to a security advisory published by Yubico, four of their products that constitute the FIPS Series could be vulnerable to private key reconstruction scenarios. Although the process of exploitation isn’t a simple one, the FIPS Series products are meant to be used by governmental agencies and regulated industries, so it’s the highest-level product geared for deployment in the most critical environments. The affected devices are the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, running firmware versions 4.4.2 or 4.4.4. Yubico clarifies that all of their other products are unaffected by the presented vulnerabilities.
Yubico has discovered and fixed an issue with our YubiKey FIPS Series keys, see the following Advisory for technical details and information on how to obtain a free replacement device. No other YubiKey, Security Key or Yubico products are affected. https://t.co/l4ny0ZJfEW
— Yubico | #YubiKey (@Yubico) June 13, 2019
Upon powering-up, the Yubikey FIPS devices perform some initial operations that are characterized by reduced randomness. This data fills the key’s memory buffers only for a brief moment of time, but it’s enough for a sniffer to capture it, essentially allowing for the creation of a predictability context leading to the subsequent reconstruction of the private key. While not the full key generation algorithm is exposed, a sophisticated attacker could gain enough signatures to make the hacking process possible.
According to Yubico, for RSA key generation, the predictability is limited to 80 out of the minimum 2048 bits. For ECDSA signatures, the nonce K becomes biased, with 80 out of the 256 bits being static. For ECC keys generation, the situation is again the same, with 80 out of the 256 bits being compromised. For ECC encryption, the strength is reduced from 256 to 240 bits, which Yubico still sees as adequately secure. Secp384r1 private keys go from 384 unknown bits down to 368, so their strength is also reduced, but not to a worrying point.
All that said, the particular Yubikey vulnerability is not exactly an open door to attackers, but Yubico is acting responsibly here and offers their customers what they really paid for. After all, people who are using these keys are high-risk individuals, and whole teams of hackers are doing all they can to break into their systems. Giving out a couple of bits to help them with that would be counter-intuitive, to say the least.
If you own one or more of the affected devices, you may simply visit the Yubico replacement portal and ask for a new key. Of course, there’s also a firmware update (version 4.4.5) that customers may choose to apply instead, and which has achieved FIPS certification more than a month ago. If you’re not comfortable with this process, just ask for a new key that will come with the latest firmware version. If you are unsure about whether you are using a flawed version or not, contact Yubico’s customer service directly, or simply contact your reseller and ask them.
Do you think that hackers could potentially break a 240-bit key, or does it make no difference in real-world cracking practice? Share your view in the comments beneath, or on our socials, on Facebook and Twitter.