Source URL: https://ninjalab.io/eucleak/
Source: Hacker News
Title: EUCLEAK Side-Channel Attack on the YubiKey 5 Series
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses a significant security vulnerability discovered in the ECDSA implementation of Infineon Technologies’ cryptographic library found in FIDO hardware tokens, particularly impacting the YubiKey 5 Series. The vulnerability, termed the EUCLEAK attack, poses risks to various secure systems potentially reliant on these microcontrollers, emphasizing the need for immediate public awareness and updates.
Detailed Description:
– Secure elements are specialized microcontrollers designed to secure cryptographic operations and store sensitive information, undergoing intense security evaluations (Common Criteria).
– FIDO hardware tokens, like the YubiKey 5 Series, utilize these secure elements for authentication, implementing protocols like Elliptic Curve Digital Signature Algorithm (ECDSA).
– A recent investigation revealed a side-channel vulnerability in the Infineon ECDSA implementation that has persistently evaded detection for 14 years despite numerous Common Criteria assessments.
– The vulnerability stems from a non-constant-time modular inversion which allows an attacker with physical access to the secure element to extract the ECDSA secret key using electromagnetic side-channel acquisitions.
– This attack is notably applicable to:
– All YubiKey 5 Series devices with firmware versions below 5.7.
– Infineon TPMs and other microcontrollers running the Infineon cryptographic library.
– Implications of the vulnerability extend to various systems using these secure microcontrollers, including electronic passports and cryptocurrency wallets.
– Users are advised that while the vulnerability exists, using FIDO hardware tokens remains safer compared to deploying no hardware at all, due to the attack’s requirement for physical access and specialized knowledge.
– Additional notes include:
– The Feitian A22 JavaCard tested is no longer available for purchase, and newer products on the market are not impacted.
– A planned update for YubiKey (firmware version 5.7) will transition to a new cryptographic library, which is expected not to have this vulnerability.
– Infineon has developed a patch for the compromised library, pending the outcome of Common Criteria certification evaluation.
– A CVE ID for this vulnerability is still awaiting assignment, underscoring the need for proactive risk management strategies.
This discovery has significant implications for security and compliance professionals overseeing systems relying on hardware tokens for authentication, necessitating thorough evaluations of product versions and the adoption of updates to mitigate potential risks.