Yubikey NEO OpenPGP advisory

[Peter Lebbing]

On 23/04/15 00:22, Jose Castillo wrote:
> in the case of NFC, which is a big use case for the Yubikey

I hadn't considered NFC at all, it's good you brought it up. In fact, if
sniffing reveals the PIN and my threat model includes physically nearby
attackers, I wouldn't use it at all, whether it had PIN or not.

But I suppose it could work if you only use the NFC functionality when
you're in a safe environment such as your own home. It seems a
comfortable way of using your crypto hardware. As long as you only worry
about attackers that are elsewhere.

A similar scenario from real life:

Right now, they're rolling out a payment system here in The Netherlands
where you only need to tap your bank card to the payment terminal to do
small payments. That's all that is needed.

Or, since everything is relative, where an employee of the shop you're
in only needs to tap the payment terminal to your wallet as they
accidentally bumps into you.

So I'm still looking for a sturdy yet practical metallic sleeve to put
around the bank card as soon as they replace my non-NFC card with an NFC
card :). The one I've seen looked to finnicky to remove your bank card
from, which you do every time you need to pay in a shop...

> Personally, I think that it’s unsafe to have a PGP key on an old 
> Yubikey that exhibits this vulnerability, which is why I submitted
> it to the list.

I agree. However, I seem to have been under the wrong impression that it
was a matter of a software upgrade, and that we were merely assessing
the risk that something had gone wrong before you did the upgrade.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>