Yubico
Infineon RSA Key Generation Issue

Customer Portal

Infineon Technologies, one of Yubico’s secure element vendors, informed us of a security issue in their firmware cryptographic libraries. The issue affects TPMs in millions of computers, and multiple smart card and security token vendors.

This page provides information to help you determine whether you are affected, and how to address this issue. For Yubico this issue weakens the strength of on-chip RSA key generation, and affects some use cases for the Personal Identify Verification (PIV) smart card and OpenPGP functionality of the YubiKey 4 platform. Yubico has issued a security advisory on this issue.

The use of the FIDO U2F, OTP, and OATH functions of the YubiKey 4 platform are not affected. YubiKey NEO and FIDO U2F Security Key are not impacted.

Yubico has addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017 and we are providing affected customers with mitigation recommendations and a YubiKey replacement program.

Background

The Infineon RSA key generation issue was discovered by an independent team of researchers from the University of Masaryk in the Czech Republic. The researchers found a method to identify mathematical weaknesses of particular algorithms for prime number generation. The method allows an attacker who only has the public portion of an RSA key pair generated on the secure element to compute the private key significantly faster than the current state of the art attack.

Infineon confirms that the RSA key generation implemented in one of their cryptographic libraries is affected. The root cause of the issue lies within the cryptographic software library, not in the secure element itself - the symmetric and asymmetric hardware co-processors are not affected.

Yubico firmware update

Once we were notified of this issue by Infineon we quickly addressed it. To ensure the YubiKey 4 offers strong security for all functions, we switched to a different, broadly scrutinized and deployed key generation function. The new implementation has been vetted by the security researchers who discovered the original issue as well as by professional security auditors.

Is my YubiKey and usage affected?

Please use this visual guide to determine which type of YubiKey you have and whether it may be affected. Help me identify my YubiKey.

Yubico ProductFunctionality AffectedNotes
YubiKey NeoYubiKey NEO / NEO nNot AffectedNo Action Required
Security Key by YubicoFIDO U2F Security KeyNot AffectedNo Action Required
YubiKey 4
YubiKey 4C
YubiKey 4 Nano
YubiKey 4C Nano
Yubikey 4 / 4C / 4 nano / 4C nano
Version 4.3.5 or higher
Help me find my YubiKey version
Not AffectedNo Action Required
YubiKey 4
YubiKey 4C
YubiKey 4 Nano
Yubikey 4 / 4C / 4 nano
Versions 4.2.6-4.3.4
Help me find my YubiKey version
Not Affected - Use of FIDO U2F, and OTP.No Action Required
Not Affected - Use of onboard ECC key generation or imported (externally generated) RSA keys with PIV smart card or OpenPGP.No Action Required
Possibly Affected - Use of onboard RSA key generation with PIV smart card and OpenPGP card onboard RSA key generation.Please read the following information

Functionality Assessment

This issue affects only the PIV smart card, OpenPGP card and onboard RSA key generation functionality on certain YubiKey 4 keys. For users of PIV smart card and OpenPGP functionality of the YubiKey 4, who are unsure if they are affected please use the following information for more details.
Affected functionality »

Mitigation Recommendations

For users of PIV smart card who have previously generated private RSA keys on the YubiKey 4 (version 4.2.6 - 4.3.4), we recommend EITHER regenerating private keys using ECC algorithms, or if RSA keys are required, regenerating keys off the YubiKey 4 and loading onto the YubiKey 4.

For users of OpenPGP who have previously generated private RSA keys on the YubiKey 4 (version 4.2.6 - 4.3.4) we recommend regenerating private keys off the YubiKey 4 and loading the new keys onto the YubiKey 4.

For more detailed information please refer to the Yubico Mitigation Recommendations.
Yubico Mitigation Recommendations »

Replacement Program

In addition to the Yubico mitigation recommendations, Yubico offers optional YubiKey 4 replacement for those who are affected. Information on the YubiKey replacement program is available on the online portal provided by Yubico. At this time we are not aware of any security breaches due to this issue.
YubiKey Replacement »

Learn More

Please see our detailed FAQ.


Resources

Customers
Yubico customers can request assistance from Yubico Support by filing a support ticket.

Partners
Yubico partners should contact Yubico Sales directly if they have questions.

Media/Press
Any media or press enquiries should be directed to press@yubico.com.