Thanks for sharing. I guess this once again shows that writing security sensitive software is not about just hacking some lines of code, it's about putting together a good (or better semi-formal) functional requirements specification and a test framework that validates the correct implementation of the defined mechanisms. With a proper test set-up - which is relatively easy to do for a smart card application - this should not have happened.
And contrary to the Yubico position that this is a minor issue, I would call the circumvention of the PIN mechanism a major issue. If you loose the device, then you loose the key. Andreas On 04/21/2015 07:48 PM, Jose Castillo wrote: > I haven’t seen this posted to the list yet, and thought it would be important > for people who use the Yubikey NEO's OpenPGP functionality with GnuPG. It > regards a vulnerability in the Yubikey NEO implementation of the OpenPGP > smart card application: > > https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html > > Yubikeys running the vulnerable software will generate signatures and decrypt > session keys unconditionally, i.e. without verifying the user’s PIN. I > reported this vulnerability to Yubico on 4/11, and to their credit it was > quickly fixed. Still, if you are using a Yubikey that you obtained prior to > the fix being issued, you should be aware that this vulnerability could > affect your security. > > This issue also affected the upstream javacardopenpgp project [1], which has > been updated with a fix as well. > > [1]: http://sourceforge.net/projects/javacardopenpgp/ > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
