According to the spec, if either of these conditions are not satisfied, the security operation should not proceed. The goal of each is to establish that the PW1 has been validated, AND the proper mode has been set (mode 81 for signing, mode 82 for everything else). The bug appears to be a typo in the first line of the computeDigitalSignature, decipher and internalAuthenticate methods. The source code contains a logical flaw related to user PIN (aka PW1) verification that allows an attacker with local host privileges and/or physical proximity (NFC) to perform security operations without knowledge of the user's PIN code.Ī typo in the source code of the on-card OpenPGP software is the culprit for this vulnerability, according to Joey Castillo, who discovered both the flaw and the solution. The on-card OpenPGP software of the YubiKey NEO is implemented by the free and open-source software (FOSS) project "ykneo-openpgp", forked from an earlier implementation called “javacardopenpgp”. The YubiKey NEO is a flexible security product from Yubico that implements the Yubico One-Time Password technology, FIDO Universal 2nd Factor, OATH codes, PIV card, and OpenPGP card functionality. When it comes to password alternatives, the USB dongle YubiKey Neo is a popular option for providing two-factor authentication it has been certified as providing the " highest level of security." The device has been lauded by third parties "for its tight security and ease of use."Įarlier this month, a security advisory was issued for the YubiKey Neo.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |