The impacted Yubico Yubikey Neo is an old product no more available for sale. Google Titan Security Key (all versions)ġ.With the help of Camille Mutschler (NinjaLab) and Dr.
Victor lomné (NinjaLab) and Thomas Roche (NinjaLab). Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered. Nevertheless, this work shows that the Google Titan Security Key (and other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Thus, as far as our study goes, it is still safer to use your Google Titan Security Key or other impacted products as FIDO U2F two-factor authentication token to sign in to applications rather than not using one. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills. Two-factor authentication tokens (like FIDO U2F hardware devices) primary goal is to fight phishing attacks.
It was then applied on the Google Titan Security Key with success (this time by using 6000 observations) as we were able to extract the long term ECDSA private key linked to a FIDO U2F account created for the experiment. The sensitive information is recovered with a non-supervised machine learning method and plugged into a customized lattice-based attack scheme.įinally, 4000 ECDSA observations were enough to recover the (known) secret key on Rhea and validate our attack process. We could then show that the electromagnetic side-channel signal bears partial information about the ECDSA ephemeral key. Rhea, as an open JavaCard platform, gives us more control to study the ECDSA engine. Freely available on the web, this product looks very much like the NXP A700X chip and uses the same cryptographic library.
To understand the NXP ECDSA implementation, find a vulnerability and design a key-recovery attack, we had to make a quick stop on Rhea (NXP J3D081 JavaCard smartcard). In other words, an attacker can create a clone of a legitimate Google Titan Security Key. Our work describes a side-channel attack that targets the Google Titan Security Key’s secure element (the NXP A700X chip) by the observation of its local electromagnetic radiations during ECDSA signatures (the core cryptographic operation of the FIDO U2F protocol). The Google Titan Security Key is a FIDO U2F hardware device proposed by Google (available since July 2018) as a two-factor authentication token to sign in to applications (e.g.
0 kommentar(er)
