[python-committers] Security: please enable 2-factor authentication on GitHub and your email
victor.stinner at gmail.com
Tue Dec 12 05:14:54 EST 2017
2017-12-11 13:57 GMT+01:00 Stefan Krah <stefan at bytereef.org>:
> I'm not a fan of hardware key generation. :-)
> "In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key. All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability. Yubico publicized a tool to check if a Yubikey is affected and replaces affected tokens for free."
FYI it seems like only RSA private key generated by old Yubikey keys
are vulnerable to the ROCA attack. OTP authentication is not affected.
See https://www.yubico.com/keycheck/ for more information.
"ROCA: Return Of the Coppersmith Attack": https://lwn.net/Articles/738896/
As I wrote, I chose to use ed25519 for my new SSH key. Maybe it was a
good idea :-)
More information about the python-committers