7/8/2023 0 Comments Yubikey security keyLFSR is just a scrambler it has no serious cryptographic significance. “The standard YubiKey has a built-in random number generator that involves a Linear Feedback Shift Register (LFSR) that is fed from analog output of the touch sensor as well as asynchronous data from USB traffic.” But as notes, it doesn’t speak well of FIPS. I don’t think that’s the end of the world (if that’s what it amounts to). ![]() So: just 176 bits of ‘entropy’ on an ECDSA key. Tags: cryptography, encryption, firmware, keys, random numbers, security engineering, security tokens A total of 80 of the 256 bits generated by the key remain static, meaning an attacker who gains access to several signatures could recreate the private key.ĮDITED TO ADD (6/12): From Microsoft TechNet Security Guidance blog (in 2014): “ Why We’re Not Recommending ‘FIPS Mode’ Anymore.“ Security keys with ECDSA signatures are in particular danger. According to Yubico, a bug keeps “some predictable content” inside the device’s data buffer that could impact the randomness of the keys generated. ![]() The problem in question occurs after the security key powers up. The security keys are used by thousands of federal employees on a daily basis, letting them securely log-on to their devices by issuing one-time passwords. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. ![]() Yubico is recalling a line of security keys used by the U.S.
0 Comments
Leave a Reply. |