戻る

> “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.”

紛失するとおしまいと。

> The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

定数時間で実装できてなかったのね

> The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low.

パンピーにとってはそこまでリスクではない。らしい。

> The list, however, omits a key step, which is tearing down the YubiKey and exposing the logic board housed inside.

分解が必要と。

いちばん大事な情報を忘れてた、 ECDSA の話らしい

[EDIT: もっと広いかも、よくわからん]

Security Advisory YSA-2024-03 | Yubico
https://www.yubico.com/support/security-advisories/ysa-2024-03/

> ECDSA is heavily used in FIDO, however this could also impact PIV and OpenPGP use cases if ECC keys are used.

いやこれ「elliptic curve」だから curve25519 も影響力受けそうだな。いわゆる ECDSA だけではないのか