[TriLUG] Got a Yubikey or a Chromebook? Heads up about ROCA...
Mauricio Tavares via TriLUG
trilug at trilug.org
Tue Oct 17 09:55:56 EDT 2017
On Tue, Oct 17, 2017 at 8:50 AM, Aaron Joyner via TriLUG
<trilug at trilug.org> wrote:
> TL;DR: If you have a Chromebook, a Yubikey 4, or other device which uses an
> Infineon TPM for hardware encryption, the RSA private keys generated by
> that device may be rather easily compromised.
>
> Fixes are rolling out where possible. For some use cases you may have to
> regenerate keypairs and redistribute public keys. Some devices like the
> Yubico 4 can't update this aspect of the software in the TPM by design, and
> will have to be replaced.
>
> Here are a few links, ranging from news-y to technical:
> https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#501ffe9747c3
>
> https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
>
> https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
>
> https://www.yubico.com/support/security-advisories/ysa-2017-01/
>
> October is an "uncomfortably exciting" month, security-wise...
> Aaron S. Joyner
This just makes me think of Professor Farnsworth, "Good news, everybody!"
More information about the TriLUG
mailing list