[TriLUG] Got a Yubikey or a Chromebook? Heads up about ROCA...
Aaron Joyner via TriLUG
trilug at trilug.org
Tue Oct 17 08:50:22 EDT 2017
TL;DR: If you have a Chromebook, a Yubikey 4, or other device which uses an
Infineon TPM for hardware encryption, the RSA private keys generated by
that device may be rather easily compromised.
Fixes are rolling out where possible. For some use cases you may have to
regenerate keypairs and redistribute public keys. Some devices like the
Yubico 4 can't update this aspect of the software in the TPM by design, and
will have to be replaced.
Here are a few links, ranging from news-y to technical:
https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#501ffe9747c3
https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
https://www.yubico.com/support/security-advisories/ysa-2017-01/
October is an "uncomfortably exciting" month, security-wise...
Aaron S. Joyner
More information about the TriLUG
mailing list