Yubico Forum ...visit our web-store at 2015-04-24T14:58:48+01:00 https://forum.yubico.com/feed.php?f=26&t=1846 2015-04-24T14:58:48+01:00 2015-04-24T14:58:48+01:00 https://forum.yubico.com/viewtopic.php?t=1846&p=7244#p7244 <![CDATA[Re: openpgp applet vulnerability : how to update ?]]> Statistics: Posted by noko — Fri Apr 24, 2015 2:58 pm

]]> 2015-04-24T13:16:45+01:00 2015-04-24T13:16:45+01:00 https://forum.yubico.com/viewtopic.php?t=1846&p=7243#p7243 <![CDATA[Re: openpgp applet vulnerability : how to update ?]]> zviratko wrote:

WTH!

This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it).

I will demand either an upgrade path or a token replacement.


Sounds like token replacement is the way to go. If you provide the information needed, Yubico will do a swap:

viewtopic.php?f=26&t=1852&view=unread#p7240

B

Statistics: Posted by brendanhoar — Fri Apr 24, 2015 1:16 pm

]]> 2015-04-24T08:35:10+01:00 2015-04-24T08:35:10+01:00 https://forum.yubico.com/viewtopic.php?t=1846&p=7241#p7241 <![CDATA[Re: openpgp applet vulnerability : how to update ?]]>
This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it).

I will demand either an upgrade path or a token replacement.

Statistics: Posted by zviratko — Fri Apr 24, 2015 8:35 am

]]> 2015-04-22T12:13:35+01:00 2015-04-22T12:13:35+01:00 https://forum.yubico.com/viewtopic.php?t=1846&p=7224#p7224 <![CDATA[Re: openpgp applet vulnerability : how to update ?]]>
Quote:

In particular, any attacker with access to the local host must be assumed to be able to learn the user’s PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging.

this is very misleading, as it implies the attacker would need a full compromise of the host to be able to exploid the vulnerability. A shared computer with unpriviledged users is _also_ a possible scenario.

Quote:

Alternatively, if the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point.

This is clearly bad faith ! Someone could easily "borrow" a (seldom used) vulnerable yubikey and use it (for example) to sign a message and return it...

Quote:

If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected.

Same problem, it completely misses the "borrowing" attack.

Quote:

However its practical consequences are relatively small as a successful attack requires other privileged operations (such as local root access) that are normally not available to an attacker, and would have undermined the security anyway.


I really think you're trying to downplay the vulnerability to avoid updates. Please explain us how we can fix it.

Statistics: Posted by testic — Wed Apr 22, 2015 12:13 pm

]]> 2015-04-22T12:03:31+01:00 2015-04-22T12:03:31+01:00 https://forum.yubico.com/viewtopic.php?t=1846&p=7222#p7222 <![CDATA[openpgp applet vulnerability : how to update ?]]> https://developers.yubico.com/ykneo-ope ... 04-14.html

details the vulnerability in detail.

I would like to fix my yubikey neo. Unfortunately, the applet keys are not known since I don't have a developer yubikey.

How can I update ? And, most importantly, how will you manage updates in the future if a more serious vulnerability is discovered ?

PS: how am I supposed to access the forum if I personalized my yubikey and removed the original keys ? I was lucky to have one untouched...

Statistics: Posted by testic — Wed Apr 22, 2015 12:03 pm

]]>