back to article Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens

Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness. The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack …

  1. Fazal Majid

    FIPS stands for reduced security

    It's well known among the security community that FIPS standards are significantly behind best practice, whether that is deliberate is open to question (e.g. how the NIST and NSA made DUAL_EC_DRBG with weak P and Q a requirement for FIPS certification).

    1. Phil O'Sophical Silver badge

      Re: FIPS stands for reduced security

      how the NIST and NSA made DUAL_EC_DRBG with weak P and Q a requirement for FIPS certification

      It was one of 4 algorithms approved for FIPS 140 certification, and NIST removed it from SP 800-90A about 5 years ago when when its strength was questioned.

      In this case, though, the issue isn't with FIPS algorithms but with the implementation of the POST code. The test lab that did the certification should probably have picked up on that.

    2. Crypto Monad

      Re: FIPS stands for reduced security

      It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.

      Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.

      If there was even a chance that it was any more safe than normal OpenSSL, there would be plenty of people who would choose it for that reason. But they don't. That tells you all you need to know about the value of FIPS certification.

      1. Anonymous Coward
        Anonymous Coward

        Re: FIPS stands for reduced security

        It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.

        It's not quite that simple. Yes, it's true that fixing a bug (say, heartbleed) in crypto code can invalidate FIPS certification but leave you with more secure code. Even so, since the original code went through the FIPS algorithm testing and code inspection it's still likely to be better than if it had never been certified in the first place.

        Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.

        FIPS certification of open source code is tricky, since the end result depends so much on the compiler and build environment. There is also the question of who will pay for the certification, which is why it tends to lag the current release. What you get with the current FIPS-certified OpenSSL (it's likely to change for the next release) is the standard OpenSSL code, and a plugin module with FIPS-certified crypto. That plugin has had the algorithms which are known to be insecure removed, and must be compiled exactly as specified. It's still essentially the same OpenSSL code as everyone else uses, though.

  2. DerekCurrie
    Facepalm

    And just last month I was suggesting Yubico over Google keys

    Yep! We're still in the Dark Age of Computing. At least both companies took the right actions.

    1. Real Ale is Best

      Re: And just last month I was suggesting Yubico over Google keys

      I received my replacement Feitian (Google) key last week.

      Better than that, they are send dual packs to replace single keys, so I have a backup. :-)

  3. Anonymous Coward
    Anonymous Coward

    Still, not a bad overall track record

    Yubico has been around for 12 years now. Their devices by design do not allow customer-level firmware updates, meaning that if a security vulnerability is found they pretty much HAVE TO issue replacements. Even so, I am only aware of _two_ replacement programmes: after the discovery of the ROCA vulnerability, and the current one.

    Of the three hardware security devices I use on a regular basis (a YubiKey, a similar token from a different vendor released at around the same time, and a "normal" SmartCard in credit-card form factor), overall I still consider the YubiKey the best value for money.

  4. GruntyMcPugh

    "particularly when the USB-based token is first powered up"

    My mate discovered a similar bug in the Dragon 32 OS back in the early 80s,.... he'd written a program to generate RuneQuest characters, and it rolled the die for you cand came up with the stats,... except it generated the same supposedly 'RND' stats every time from a fresh boot. He had to use time instead, so you pressed a key twice, that gave a time difference, added that the RND value and did a Modulus / 6 to get the dice value. Or summat like that, it's been a while.

    Right, I'm off to Wikipedia to wallow in some Dragon 32 nostalgia.

  5. sitta_europea Bronze badge

    "Those who bought their hardware from a reseller, or received it from their IT department,"

    or from Ars Technica?

    " should get in touch with those people about having their drives swapped out. ®"

  6. Mike 137 Silver badge

    Normal software standards

    So they re-used the initialisation buffer for crypto generation (silly mistake 1) without bothering to set it to a random null state (silly mistake 2)?

    What the heck - that's about par for the course these days. At least it wasn't an entirely hard coded key.

    1. A random security guy Bronze badge

      Re: Normal software standards

      At least they could have set it to all zeros or something first. Maybe it was taking too long to fill up the buffer. I guess they could not have initialized the buffer to a random state because the RNG was not yet initialized and producing the proper random numbers.

  7. Anonymous Coward
    Anonymous Coward

    Re: Apple Struggles

    Any appliance that relies on high quality RNG should have multiple independent RNG sources and mix them before use.

  8. TrumpSlurp the Troll
    Paris Hilton

    USB Key?

    Am I missing something or does this require a USB port?

    Someone came round a year or so back and glued up all our USB ports because of security or something.

  9. Adrian 4 Silver badge

    Fit for purpose

    Governments prefer security with built-in-weaknesses, so these should be just the thing for government use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021