Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness. The vendor said the firmware in the FIPS Series of YubiKey widgets, aimed mainly at US government use, were prone to a reduced-randomness condition that could make their cryptographic operations easier to crack …
how the NIST and NSA made DUAL_EC_DRBG with weak P and Q a requirement for FIPS certification
It was one of 4 algorithms approved for FIPS 140 certification, and NIST removed it from SP 800-90A about 5 years ago when when its strength was questioned.
In this case, though, the issue isn't with FIPS algorithms but with the implementation of the POST code. The test lab that did the certification should probably have picked up on that.
It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.
Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.
If there was even a chance that it was any more safe than normal OpenSSL, there would be plenty of people who would choose it for that reason. But they don't. That tells you all you need to know about the value of FIPS certification.
It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.
It's not quite that simple. Yes, it's true that fixing a bug (say, heartbleed) in crypto code can invalidate FIPS certification but leave you with more secure code. Even so, since the original code went through the FIPS algorithm testing and code inspection it's still likely to be better than if it had never been certified in the first place.
Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.
FIPS certification of open source code is tricky, since the end result depends so much on the compiler and build environment. There is also the question of who will pay for the certification, which is why it tends to lag the current release. What you get with the current FIPS-certified OpenSSL (it's likely to change for the next release) is the standard OpenSSL code, and a plugin module with FIPS-certified crypto. That plugin has had the algorithms which are known to be insecure removed, and must be compiled exactly as specified. It's still essentially the same OpenSSL code as everyone else uses, though.
Yubico has been around for 12 years now. Their devices by design do not allow customer-level firmware updates, meaning that if a security vulnerability is found they pretty much HAVE TO issue replacements. Even so, I am only aware of _two_ replacement programmes: after the discovery of the ROCA vulnerability, and the current one.
Of the three hardware security devices I use on a regular basis (a YubiKey, a similar token from a different vendor released at around the same time, and a "normal" SmartCard in credit-card form factor), overall I still consider the YubiKey the best value for money.
My mate discovered a similar bug in the Dragon 32 OS back in the early 80s,.... he'd written a program to generate RuneQuest characters, and it rolled the die for you cand came up with the stats,... except it generated the same supposedly 'RND' stats every time from a fresh boot. He had to use time instead, so you pressed a key twice, that gave a time difference, added that the RND value and did a Modulus / 6 to get the dice value. Or summat like that, it's been a while.
Right, I'm off to Wikipedia to wallow in some Dragon 32 nostalgia.
At least they could have set it to all zeros or something first. Maybe it was taking too long to fill up the buffer. I guess they could not have initialized the buffer to a random state because the RNG was not yet initialized and producing the proper random numbers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
