Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:03 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Dec 04, 2013 11:56 am 
Offline

Joined: Mon Jul 29, 2013 12:10 pm
Posts: 15
Hi,

appearently the speaker of this talk [1] was able to recover cryptographic secrets from a YubiKey 2 by using Side-channel analysis (SCA). Is this a known problem and if so what can owners of a yubico 2 do against it?

[1]: https://events.ccc.de/congress/2013/Fah ... /5417.html


kind rgds.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 04, 2013 4:08 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Jul 23, 2012 9:59 pm
Posts: 27
Yubico takes security seriously and welcome analysis of our products, and are happy to engage on a technical basis for the benefit of our customers. While the YubiKey Standard was not intended to resist physical attacks, we aspire to exceed expectations. After being informed about preliminary results, we worked with the research team to implement mitigation. We have incorporated this in our currently manufactured product. We wish to stress that the YubiKey NEO and the YubiKey Standard used in OATH or challenge response mode is not affected. We look forward to continue work with researchers and improve our products!

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 04, 2013 10:06 pm 
Offline

Joined: Mon Jul 29, 2013 12:10 pm
Posts: 15
Hi,

thank you for your quick response. After looking on the net about this I found the very same statement within the speaker's (David Oswald) graduate thesis. In there the author also says that with firmware version 2.4 the described attacks were not successful anymore.

As far as I understood it is not possible to update the firmware of the yubikey and mine has firmware version 2.3.3.

Would you recommend to put such a device (< fw 2.4) out of service?


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 04, 2013 11:06 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Jul 23, 2012 9:59 pm
Posts: 27
You are correct - the firmware of the YubiKey is not able to be upgraded.

The attacks described require extensive physical access to the YubiKey over a significant period of time (~hours) using specialized equipment to extract the secret stored within for the Yubico OTP. Many users mitigate this risk by their behavior of keeping their YubiKey on their person or a secure location, denying attackers the necessary time needed. Further, the reconfiguration of a suspected compromised YubiKey will render the information extracted useless, provided that the YubiKey's old configuration is removed from any sites or services it is used for validation with, and replaced with the new configuration.

Because of the high likelihood that such attempts to extract the secrets from a YubiKey would be noticed, and the ease in which legitimate users can reconfigure their YubiKey, Yubico does not feel it is necessary to replace existing 2.3 and earlier YubiKeys with 2.4+ versions unless you feel there is a high chance a user could be targeted for such an attack.

_________________
-David Maples
Yubico Senior Solutions Engineer
http://www.Yubico.com


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group