Yubico recalls YubiKey FIPS products due to weakness in key generation

Yubico has recalled some of its hardware YubiKey products in the FIPS series. Every time the YubiKey FIPS devices are launched, there is reduced randomness, resulting in weaker security in the first cryptographic operations.

The weakness in the randomness makes it possible to predict 80 of a minimum of 2048 bits when generating rsa keys. Yubico expects that this will not allow attackers to directly obtain private keys or decrypt encrypted material. However, for ecdsa signatures, the predictability of 80 by 256 bits is sufficient to access signatures and thus obtain private keys. ECC encryption involves 16 bits that can be predicted.

The issue affects the YubiKey FIPS, Nano FIPS, C FIPS and C Nano FIPS products with firmware versions 4.4.2 or 4.4.4, with Yubico stressing that there is no 4.4.3 firmware. The reduced security may have an impact when used in combination with smartcard, FIDO U2F, oath-one-timepasswords and OpenPGP. The reduced randomness is only present after starting the products. After the content to be predicted from the buffer has been used up, the random number generator will provide the required randomness.

Yubico has solved the problem with new firmware, but products have to go through the certification procedure again. The company now has that certification and estimates that most YubiKey FIPS devices in use have already been replaced. FIPS stands for Federal Information Processing Standards and security products that meet these standards set by the US government must be suitable for government use.