Information Security News mailing list archives
Yubico to replace vulnerable YubiKey FIPS security keys
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 14 Jun 2019 06:59:44 +0000 (UTC)
https://www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/ By Catalin Cimpanu Zero Day ZDNet News June 13, 2019Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices.
Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS).
BOOT-UP BUG TEMPORARILY REDUCES CRYPTO KEY RANDOMNESSAccording to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.
This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer.
[...] -- Subscribe to InfoSec News https://www.infosecnews.org/subscribe-to-infosec-news/ https://twitter.com/infosecnews_
Current thread:
- Yubico to replace vulnerable YubiKey FIPS security keys InfoSec News (Jun 14)