YubiKey Fips Series Vulnerable to Private Key ReconstructionYubico provides Fips product series replacement keys due to the weakness of ‘ reduced randomness. ‘ During power-up the keys run some routine operations potentially allowing partial key reconstruction. Still, even if their strength is obviously popular, these keys remain a tough nut to crack. Four of their products that make up the Fips Series could be vulnerable to private key reconstruction scenarios, according to a security advisory published by Yubico. Although the production process is not an easy one, the products of the Fips Series are intended to be used by government agencies and regulated industries, it is the highest-level product for deployment in the most sensitive environments. The systems concerned are YubiKey Fips YubiKey Nano Fips YubiKey C Fips and YubiKey C Nano Fips operating firmware versions 4.4.2 or 4.4.4, respectively. Yubico clarifies that the flaws raised don’t affect all of their other goods. Yubico has found and resolved a problem with our YubiKey Fips Series keys. For technical details and information on how to get a free replacement button see the following visory. There are no other impacted YubiKey Security Key or Yubico products. The Yubikey Fips devices conduct some initial operations at power-up which are distinguished by reduced randomness. Such data fills the memory buffers of the key only for a short time, but it is sufficient for a sniffer to catch it effectively allowing a clear context to be established leading to the eventual reconstruction of the private key. While the complete key generation algorithm is not available, a sophisticated attacker may obtain enough signatures to make it possible to hack the mechanism. The predictability is limited to 80 of the minimum 2048 bits according to Yubico for Rsa key generation. For signatures of Ecdsa the nonce K is biased with 80 of the 256 bits being static. The situation is again the same for generation of Ecc keys with 80 out of the 256 bits being affected. The strength for Ecc encryption is reduced from 256 bits to 240 bits which Yubico still considers to be adequately safe. Private keys Secp384r1 go from 384 unknown bits down to 368 so their power is also that but not a troubling point. All that said the specific weakness of Yubikey is not necessarily an open door for attackers but Yubico is acting responsibly here and delivering what they really paid for to their customers. High-risk individuals are after all the people who use these keys and whole teams of hackers are doing everything they can to break into their networks. It would be counter-intuitive to say the least, to send away a few bits to help them with that. If you own one or more of the affected devices you can simply visit the replacement portal in Yubico and request a new key. There’s also, of course, a software upgrade (version 4.4.5) that consumers can choose to apply instead, and that got Fips certification more than a month ago. If you are not happy with this method simply ask for a new key with the latest firmware version. If you are uncertain whether or not you are using a defective edition contact Yubico’s customer service directly or just email your reseller and ask them.