See the Technical Details section below for additional information about how this issue might impact different scenarios, as well as what mitigating factors exist.” YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases. Yubico said in an advisory, “The issue only affects certain use cases and scenarios. The company started working on a fix and released version 4.4.5, which received FIPS certification on April 30, 2019. Yubico discovered the issue in March 2019 affecting YubiKey FIPS Series devices running firmware versions 4.4.2 and 4.4.4. After the predictable content in the random buffer is consumed, the buffer will be filled with the intended full random number generator output, and all subsequent use of randomness will not be affected,” said the company in its advisory. This issue occurs only during the power-up of the YubiKey FIPS Series, version 4.4.2 or 4.4.4. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted. “An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up. These are high-end devices that are used by the federal governments. Yubico, a maker of security keys and tokens, is recalling Yubiekey tokens for the YubiKey FIPS (Federal Information Processing Standards) series devices.
0 kommentar(er)
