[python-committers] Security: please enable 2-factor authentication on GitHub and your email
Victor Stinner
victor.stinner at gmail.com
Tue Dec 12 05:14:54 EST 2017
2017-12-11 13:57 GMT+01:00 Stefan Krah <stefan at bytereef.org>:
> I'm not a fan of hardware key generation. :-)
>
> https://en.wikipedia.org/wiki/YubiKey
>
> "In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key.[18][19] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[20] Yubico publicized a tool to check if a Yubikey is affected and replaces affected tokens for free.[21]"
FYI it seems like only RSA private key generated by old Yubikey keys
are vulnerable to the ROCA attack. OTP authentication is not affected.
See https://www.yubico.com/keycheck/ for more information.
"ROCA: Return Of the Coppersmith Attack": https://lwn.net/Articles/738896/
As I wrote, I chose to use ed25519 for my new SSH key. Maybe it was a
good idea :-)
Victor
More information about the python-committers
mailing list