Yubico to replace vulnerable YubiKey FIPS security keys

Yubico staff discovers bug in YubiKey FIPS Series keys; offers replacements for affected customers.

YubiKey FIPS Series

Image: Yubico

Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices.

Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS).

Boot-up bug temporarily reduces crypto key randomness

According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.

This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer.

This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

For example:

- an RSA key may be impacted by up to 80 predictable bits out of a minimum of 2048 bits
- for ECDSA signatures, the nonce K becomes significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures
- for ECC key generation, the key may be impacted by up to 80 predictable bits out of the minimum 256-bit key length
- for ECC encryption,16 bits of the private key becomes known
- for secp256r1 private keys, the key may be impacted by 16 predictable bits, reducing the number of unknown bits in the key from 256 to 240 bits
- for secp384r1 private keys, the number of unknown bits in the key is reduced from 384 to 368 bits

Yubico offers replacements

Yubico is now advising owners of YubiKey FIPS Series to check their key's firmware version and sign up for a replacement on its portal -- if they haven't received one already.

Yubico said customers would receive new YubiKey FIPS Series keys with a corrected firmware version of 4.4.5.

YubiKey FIPS Series firmware version 4.4.3 is not listed as affected because Yubico never released it, and skipped from 4.4.2 to 4.4.4.

In the technical advisory the company published today, the company also listed some scenarios in which authentication procedures involving YubiKey FIPS Series are likely to be impacted.

For example, FIDO U2F-based authentication procedures are confirmed as impacted, while the use of YubiKey FIPS Series keys together with smart cards, OATH one-time passwords, and OpenPGP may decrease the security of authentication procedures in some scenarios.

Not a big deal, but not something to ignore either

All in all, the danger of an attacker exploiting this vulnerability is low, because of the complex requirements for intercepting the authentication operations and then breaking the rest of the cryptographic key.

Nevertheless, it's better that users don't take any chances, especially if these keys are used in highly sensitive networks.

Yubico is the second company in the past month that is offering a replacement after the discovery of a bug in its security keys. In May, Google issued a recall for some Titan security keys because of a vulnerability discovered in the key's Bluetooth pairing protocol.

More vulnerability reports: