Infineon RSA Key Generation Issue

Customer Portal

Infineon Technologies, one of Yubico’s secure element vendors, informed Yubico of a security issue in their firmware cryptographic libraries. The security issue was found on June 6, 2017 and affected TPMs in millions of computers, and multiple smart card and security token vendors.

This page provides information to help you determine whether you are affected, and how to address this issue. For Yubico this issue weakens the strength of on-chip RSA key generation, and affects some use cases for the Personal Identify Verification (PIV) smart card and OpenPGP functionality of the YubiKey 4 platform. Yubico has issued a security advisory on this issue.

The use of the FIDO U2F, OTP, and OATH functions of the YubiKey 4 platform are not affected. YubiKey NEO and FIDO U2F Security Key are not impacted.

Yubico has addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017 and provided affected customers with mitigation recommendations As of March 31, 2019 we are no longer able to provide replacements for the affected keys. We’d like to sincerely thank all of those who were involved as we worked through this issue. Below is further background information and explanation on the Infineon RSA key generation issue. Please use the following information as a resource.


The Infineon RSA key generation issue was discovered by an independent team of researchers from the University of Masaryk in the Czech Republic. The researchers found a method to identify mathematical weaknesses of particular algorithms for prime number generation. The method allows an attacker who only has the public portion of an RSA key pair generated on the secure element to compute the private key significantly faster than the current state of the art attack.

Infineon confirms that the RSA key generation implemented in one of their cryptographic libraries is affected. The root cause of the issue lies within the cryptographic software library, not in the secure element itself - the symmetric and asymmetric hardware co-processors are not affected.

Yubico firmware update

Once we were notified of this issue by Infineon we quickly addressed it. To ensure the YubiKey 4 offers strong security for all functions, we switched to a different, broadly scrutinized and deployed key generation function. The new implementation has been vetted by the security researchers who discovered the original issue as well as by professional security auditors.

Is my YubiKey and usage affected?

Please use this visual guide to determine which type of YubiKey you have and whether it may be affected. Help me identify my YubiKey.

Yubico ProductFunctionality AffectedNotes
YubiKey NeoYubiKey NEO / NEO nNot AffectedNo Action Required
Security Key by YubicoFIDO U2F Security KeyNot AffectedNo Action Required
YubiKey 4
YubiKey 4C
YubiKey 4 Nano
YubiKey 4C Nano
Yubikey 4 / 4C / 4 nano / 4C nano
Version 4.3.5 or higher
Help me find my YubiKey version
Not AffectedNo Action Required
YubiKey 4
YubiKey 4C
YubiKey 4 Nano
Yubikey 4 / 4C / 4 nano
Versions 4.2.6-4.3.4
Help me find my YubiKey version
Not Affected - Use of FIDO U2F, and OTP.No Action Required
Not Affected - Use of onboard ECC key generation or imported (externally generated) RSA keys with PIV smart card or OpenPGP.No Action Required
Possibly Affected - Use of onboard RSA key generation with PIV smart card and OpenPGP card onboard RSA key generation.Please read the following information

Functionality Assessment

This issue affects only the PIV smart card, OpenPGP card and onboard RSA key generation functionality on certain YubiKey 4 keys. For users of PIV smart card and OpenPGP functionality of the YubiKey 4, who are unsure if they are affected please use the following information for more details.
Affected functionality »

Mitigation Recommendations

For users of PIV smart card who have previously generated private RSA keys on the YubiKey 4 (version 4.2.6 - 4.3.4), we recommend EITHER regenerating private keys using ECC algorithms, or if RSA keys are required, regenerating keys off the YubiKey 4 and loading onto the YubiKey 4.

For users of OpenPGP who have previously generated private RSA keys on the YubiKey 4 (version 4.2.6 - 4.3.4) we recommend regenerating private keys off the YubiKey 4 and loading the new keys onto the YubiKey 4.

For more detailed information please refer to the Yubico Mitigation Recommendations.
Yubico Mitigation Recommendations »

Learn More

Please see our detailed FAQ.


Yubico customers can request assistance from Yubico Support by filing a support ticket.

Yubico partners should contact Yubico Sales directly if they have questions.

Any media or press enquiries should be directed to press@yubico.com.