| Yubico Forum https://forum.yubico.com/ |
|
| openpgp applet vulnerability : how to update ? https://forum.yubico.com/viewtopic.php?f=26&t=1846 |
Page 1 of 1 |
| Author: | testic [ Wed Apr 22, 2015 12:03 pm ] |
| Post subject: | openpgp applet vulnerability : how to update ? |
https://developers.yubico.com/ykneo-ope ... 04-14.html details the vulnerability in detail. I would like to fix my yubikey neo. Unfortunately, the applet keys are not known since I don't have a developer yubikey. How can I update ? And, most importantly, how will you manage updates in the future if a more serious vulnerability is discovered ? PS: how am I supposed to access the forum if I personalized my yubikey and removed the original keys ? I was lucky to have one untouched... |
|
| Author: | testic [ Wed Apr 22, 2015 12:13 pm ] |
| Post subject: | Re: openpgp applet vulnerability : how to update ? |
and by the way, the security implication analysis in the security advisory severely downplays the impact : Quote: In particular, any attacker with access to the local host must be assumed to be able to learn the user’s PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging. this is very misleading, as it implies the attacker would need a full compromise of the host to be able to exploid the vulnerability. A shared computer with unpriviledged users is _also_ a possible scenario. Quote: Alternatively, if the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point. This is clearly bad faith ! Someone could easily "borrow" a (seldom used) vulnerable yubikey and use it (for example) to sign a message and return it... Quote: If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected. Same problem, it completely misses the "borrowing" attack. Quote: However its practical consequences are relatively small as a successful attack requires other privileged operations (such as local root access) that are normally not available to an attacker, and would have undermined the security anyway. I really think you're trying to downplay the vulnerability to avoid updates. Please explain us how we can fix it. |
|
| Author: | zviratko [ Fri Apr 24, 2015 8:35 am ] |
| Post subject: | Re: openpgp applet vulnerability : how to update ? |
WTH! This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it). I will demand either an upgrade path or a token replacement. |
|
| Author: | brendanhoar [ Fri Apr 24, 2015 1:16 pm ] |
| Post subject: | Re: openpgp applet vulnerability : how to update ? |
zviratko wrote: WTH! This makes the applet completely worthless - anyone with physical access to the token can sign on my behalf, this completely defeats the purpose (which is NOT only to make the key unextractable, but to block the card if someone tries to break the PIN and make it worthless without it). I will demand either an upgrade path or a token replacement. Sounds like token replacement is the way to go. If you provide the information needed, Yubico will do a swap: viewtopic.php?f=26&t=1852&view=unread#p7240 B |
|
| Author: | noko [ Fri Apr 24, 2015 2:58 pm ] |
| Post subject: | Re: openpgp applet vulnerability : how to update ? |
DELETED |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|