On Sat, Apr 21, 2018 at 05:42:06AM +0200, Stéphane Glondu wrote: > On 17/04/2018 13:44, Thomas Goirand wrote: > > In fact, I was mistaking. The reason why we are renewing subkeys, is > > because some were generated using the Yubikey, which happens to have a > > security hole. For others, we are simply extending the expiration date, > > which is what most people do. > > What security hole?
Qouting https://en.wikipedia.org/wiki/YubiKey#Security-concerns_YubiKey_4_(closed-source_code) Yubico has replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws. Yubico states that internal and external review of their code is done. Yubikey NEOs are still using open-source code. On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post affirming the company's strong open source support and addressing the reasons and benefits of updates to the YubiKey 4. In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key. All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability. Yubico publicized a tool to check if a Yubikey is affected and replaced affected tokens for free. Qouting https://en.wikipedia.org/wiki/ROCA_vulnerability The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of the Coppersmith Attack". The vulnerability has been given the identifier CVE-2017-15361. Groeten Geert Stappers -- Leven en laten leven
