Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:06 pm

All times are UTC + 1 hour




Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
PostPosted: Wed Apr 22, 2015 12:03 pm 
Offline

Joined: Wed Apr 22, 2015 11:57 am
Posts: 2
https://developers.yubico.com/ykneo-ope ... 04-14.html

details the vulnerability in detail.

I would like to fix my yubikey neo. Unfortunately, the applet keys are not known since I don't have a developer yubikey.

How can I update ? And, most importantly, how will you manage updates in the future if a more serious vulnerability is discovered ?

PS: how am I supposed to access the forum if I personalized my yubikey and removed the original keys ? I was lucky to have one untouched...


Top
 Profile  
 

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Apr 22, 2015 12:13 pm 
Offline

Joined: Wed Apr 22, 2015 11:57 am
Posts: 2
and by the way, the security implication analysis in the security advisory severely downplays the impact :
Quote:
In particular, any attacker with access to the local host must be assumed to be able to learn the user’s PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging.

this is very misleading, as it implies the attacker would need a full compromise of the host to be able to exploid the vulnerability. A shared computer with unpriviledged users is _also_ a possible scenario.

Quote:
Alternatively, if the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point.

This is clearly bad faith ! Someone could easily "borrow" a (seldom used) vulnerable yubikey and use it (for example) to sign a message and return it...

Quote:
If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected.

Same problem, it completely misses the "borrowing" attack.

Quote:
However its practical consequences are relatively small as a successful attack requires other privileged operations (such as local root access) that are normally not available to an attacker, and would have undermined the security anyway.


I really think you're trying to downplay the vulnerability to avoid updates. Please explain us how we can fix it.


Top
 Profile  
 
PostPosted: Fri Apr 24, 2015 8:35 am 
Offline

Joined: Wed Jan 14, 2015 11:34 am
Posts: 24
WTH!

This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it).

I will demand either an upgrade path or a token replacement.


Top
 Profile  
 
PostPosted: Fri Apr 24, 2015 1:16 pm 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
zviratko wrote:
WTH!

This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it).

I will demand either an upgrade path or a token replacement.


Sounds like token replacement is the way to go. If you provide the information needed, Yubico will do a swap:

viewtopic.php?f=26&t=1852&view=unread#p7240

B


Top
 Profile  
 
PostPosted: Fri Apr 24, 2015 2:58 pm 
Offline

Joined: Fri Apr 24, 2015 2:46 pm
Posts: 1
DELETED


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group