Hi, Recently a vulnerability in a firmware library used by multiple hardware vendors has been discovered. This vulnerability makes RSA keys generated on those hardware chips much easier to factorize. One of the devices affected is the YubiKey 4 family dongle (YubiKey 4, 4 Nano and 4C).
Advisory of YubiCo (the vendor of YubiKey 4): https://www.yubico.com/2017/10/infineon-rsa-key-generation-issue/ https://www.yubico.com/keycheck/ YubiKey NEO is _not_ affected. (That was the last open dongle sold by YubiCo.) Newer devices are also not affected because the flaw has been fixed. Firmware versions 4.3.5 and higher are not affected according to the advisory. (Shipped after June 2017.) These devices do _not_ support firmware updates, but YubiCo apparently has a replacement program in place. (See their website.) I do own a YubiKey 4 myself, and luckily I am not affected, as I have generated all of my keys on a computer with GnuPG and have only transferred them to the device. (I rightfully didn't fully trust the device for the purpose of key generation.) But other people might have generated their private keys on the device itself. People who have done so should revoke the affected keys.and generate new private keys on a computer before transferring them to the device. If only subkeys are stored on the dongle this is a relatively minor inconvenience. If master keys have been generated on the device itself the entire web of trust needs to be rebuilt, unfortunately. The vulnerability in the underlying library has been discussed here: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ RSA2048 keys generated on such devices should be considered broken _today_. RSA3072 and RSA4096 keys generated on those devices are still impractical to break at the moment, but this may change very soon. Important: this vulnerability implies that any message encrypted to a PGP key generated on a vulnerable device can be decrypted with a moderate amount of resources! Affected users should no longer assume that their PGP-encrypted correspondence is private. Unfortunately, as far as I understand it, there's no easy method for detecting these kinds of broken keys without actually attempting to factorize them - and while that's feasible (hence the vulnerability) it is still quite expensive - so there is currently no easy method of scanning through the Debian keyring for affected keys. Regards, Christian
