Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:38 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu Apr 23, 2015 6:49 pm 
Offline

Joined: Sat Mar 21, 2015 9:44 am
Posts: 15
After reading the security advisory warning about the OpenPGP applets prior to 1.0.10 having a possible critical security flaw in authentication with the user's PIN, how are end users supposed to update the OpenPGP applet if the Yubikey NEO that they have are in the production category instead of the development one. I do not believe, after reading several articles on the forums and on the website, that end users are able to perform applet updates as the cardmanager keys are kept solely by Yubico. Will Yubico be releasing said cardmanager keys or will there be a route to replace said key with one that comes with the updated applet version?


Last edited by MRuth on Fri Apr 24, 2015 6:12 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Apr 23, 2015 6:57 pm 
Offline

Joined: Mon Apr 13, 2015 7:39 pm
Posts: 7
Yay! I wasn't the only person to ask the same question without looking at recent posts!

Effectively this same question was already asked in the past two days by testic and halstead and me.


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 24, 2015 3:21 am 
Offline

Joined: Sat Mar 21, 2015 9:44 am
Posts: 15
After speaking with Chris from Yubico Support, Yubico is sending me a replacement Yubikey NEO with the updated openPGP applet and asking me to send my old unit in. This whole process took only around 30 minutes and a few emails to verify information and provide a solution. I want to commend the fine people, and specifically Chris, over at Yubico Support. They were very efficient in responding to my help ticket and provided a great support experience! Provided below is information pertaining to production level NEO devices.

Quote:
Thank you for contacting Yubico Support. You correct in stating that Production NEOs cannot be updated. If you're affected by the issue, just provide us with any applicable order numbers and serial numbers for NEOs and we'll issue replacements.


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 25, 2015 2:24 am 
Offline

Joined: Sat Apr 25, 2015 2:10 am
Posts: 1
It's great that they're willing to do a token swap, and Yubico's support is fantastic (Chris replied to me in 12 minutes!), but...

Sending in a token with my private key and a known vulnerability on it seems like a bad idea.

I'm fortunate enough to have 2 pieces of the old YK NEO (non U2F) developer edition, and I'm comfortable loading my own applets. But even then, as I understand it, if you reload an applet you lose the private keys contained in it. By design it's impossible to extract the private key from the applet, which means if your private key is in a vulnerable applet, it translates to a potentially messy key-rotation problem (depending on how much data you have encrypted under that key).


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 25, 2015 4:20 pm 
Offline

Joined: Fri Apr 24, 2015 1:15 pm
Posts: 3
I think Yubico is still getting their response together. My optimistic reading of the "replacement policy" posted yesterday looks like they might well end up not asking for the old Neos to be sent back. It's not like my battered old Neo is going to be refurbishable or anything. Just track that they aren't sending multiple free replacements against one vulnerable Neo.

I'm going to wait a few more days for the plan to shake out. If it ends up being a swap... before I send it in I would do a "generate new PGP keys" series on the old device, random-write the OTPs, etc. Probably *should* revoke the subkeys that are currently on my Neo... but definitely overwriting them before I send it in. Honestly, if it's a swap situation, I might consider just buying a whole new Neo and keeping the current one for non-PGP functions.

On the PGP side, there's been a debate on whether it's better to generate the public-private pair on the Neo (which means the private key is hopefully irretrievable) or generate them on a trusted device and push the private to the Neo. Both on-Neo and off-Neo generation are supported by the Neo (in recent models). I went with the latter. I have an otherwise junk laptop that has all networking components removed. I use it (and an encrypted volume) to store my PGP master and subkeys. After a keyring backup, I then can push the subkeys to the Neo (warning, pushing keys to the Neo with PGP/GPG wipes them from the computer's keyring... thus the backup step). I also use my "airgap" laptop for various yubikey configuration utils, signing other peoples' PGP keys with my master, and some other security bits.

The strongest advantage of the PGP key pushed-from-the-computer is that I could still, with some effort, be able to decrypt things encrypted to that subkey. Even if I lost the Neo, and even if I revoke the subkey.

In any event, I'll still have to update the sites/services that are using the OTP and U2F modes, since those codes simply won't be portable between devices (and I can't overwrite the U2F in any event).


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 27, 2015 1:52 pm 
Offline

Joined: Thu Jun 24, 2010 12:39 am
Posts: 3
YubiKey neo has limited size of the key that it can store.
Thus I have a stronger (offline) master GPG key, generate subkeys on that machine and push them to yubikey.
I have backup of my subkeys, and can easily revoke and rotate them without loosing web of trust.
Originally I thought this as a rotation measure, and well now I really have a reason to rotate those subkeys off ;-)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot], Heise IT-Markt [Crawler] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group