I am using FIDO U2F on a YubiKey FIPS Series device to authenticate to a website, am I affected?įor scenarios involving FIDO U2F, an attacker who successfully exploited this issue could impersonate a user to a specific Relying Party (website) without having the user’s YubiKey if they also had possession of a user’s username and password for that Relying Party.Ĥ. PGP keys generated outside a YubiKey FIPS Series device and imported onto the device are not affected.ģ. This does not significantly affect RSA’s cryptographic protections. The reduction in key strength for PGP keys generated on the YubiKey may be up to 10 bytes for affected RSA keys. I store my PGP keys on my YubiKey FIPS Series device, am I affected? You may also be at risk from attempts to overwrite your stored PIV signatures on the YubiKey, however, this attack requires specially crafted software to first be installed on your system.Ģ. If you are using an RSA signature, the resulting RSA key strength is not significantly reduced for known cryptographic attacks to be significantly easier to accomplish. Yes, if you sign code, software applications, electronic documents, or other artifacts using an ECDSA signature then you are likely impacted. I am using my YubiKey FIPS Series device as a smart card (PIV), am I affected? Yubico says it has not seen these exploits in the wild, however, it lists the following types of scenarios as a reason to take the security advisory seriously.ġ. Parent company Yubico say internal teams discovered the vulnerability within the last couple of months, and they've now pushed out a patch in YubiKey FIPS Series firmware version 4.4.5. If they have the letters "FIPS" on them, they either need to be updated or replaced because of a recently discovered YubiKey security vulnerability.
0 kommentar(er)
