安全技术 密钥安全
We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. What’s the problem? Are these keys still safe?
我们建议使用硬件安全密钥,例如Yubico的YubiKeys和Google的Titan安全密钥 。 但是两家制造商最近都因硬件缺陷而召回了钥匙,这听起来有些令人担忧。 有什么问题? 这些钥匙仍然安全吗?
什么是硬件安全密钥? (What Are Hardware Security Keys?)
Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F, to help protect your accounts. They function as another type of two-factor authentication: Rather than a code you type in, it’s a physical security key you insert into a USB port—or it can communicate wirelessly via NFC (near-field communication) or Bluetooth.
诸如Google的Titan安全密钥和Yubico的YubiKeys之类的物理安全密钥使用WebAuthn标准( U2F的继承者)来帮助保护您的帐户。 它们充当另一种两因素身份验证的功能 :它是您插入USB端口中的物理安全密钥,而不是您输入的代码,或者可以通过NFC(近场通信)或蓝牙进行无线通信 。
You can use your key as a hardware security token to sign into accounts like your Google, Facebook, Dropbox, and GitHub accounts. With Google’s optional Advanced Protection program, you can even require a physical security key to log into your account.
您可以将密钥用作硬件安全令牌来登录Google,Facebook,Dropbox和GitHub等帐户。 使用Google的可选高级保护程序,您甚至可以要求使用物理安全密钥来登录帐户。
为什么Google和Yubico召回了钥匙? (Why Have Google and Yubico Recalled Keys?)
Both Yubico and Google have been in the news lately. Each has had to recall some security keys due to hardware flaws.
Yubico和Google最近都在新闻中。 由于硬件缺陷,每个人都必须召回一些安全密钥。
Yubico’s issue only affects YubiKey FIPS Series devices—not any consumer devices. As Yubico’s security advisory explains, these keys have insufficient randomness after device powerup, which could make their encryption vulnerable. These devices are just for government agencies and contractors—we don’t recommend FIPS unless you’re legally required to use it. Yubico isn’t aware of any attacks that have abused this, but the company is proactively replacing affected devices.
Yubico的问题仅影响YubiKey FIPS系列设备,而不影响任何消费类设备。 正如Yubico的安全公告所解释的那样,设备启动后,这些密钥的随机性不足,这可能会使它们的加密容易受到攻击。 这些设备仅适用于政府机构和承包商-除非法律要求您使用FIPS,否则我们不建议您使用FIPS 。 Yubico尚不知道有任何滥用它的攻击,但该公司正在积极更换受影响的设备。
Google’s Titan Security Key problem, which led to a recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energy to communicate wirelessly, was vulnerable to attack due to what Google called a “misconfiguration.” An attacker within 30 feet of someone using a security key to sign in could exploit the flaw to sign into their account. Or, the attacker could trick the person’s computer into pairing with a different Bluetooth dongle rather than the security key. The vulnerability also affects Feitan security keys—Feitan is the company manufacturing the Titan keys for Google.
Google的Titan安全密钥问题导致召回和更换受影响的密钥,情况更加严重。 泰坦安全密钥的蓝牙版本使用低功耗蓝牙进行无线通信,由于Google称之为“ 配置错误 ”,因此很容易受到攻击。 使用安全密钥登录的人附近30英尺内的攻击者可能会利用该漏洞登录他们的帐户。 或者,攻击者可能诱使该人的计算机与其他蓝牙软件狗而不是安全密钥配对。 该漏洞也会影响Feitan安全密钥-Feeitan是为Google生产Titan密钥的公司。
Microsoft has also rolled out a Windows update that will prevent these vulnerable Google Titan and Feitan keys from pairing with Windows 10 and Windows 8.1 via Bluetooth.
微软还推出了Windows更新 ,将阻止这些易受攻击的Google Titan和Feitan密钥通过蓝牙与Windows 10和Windows 8.1配对。
Yubico never offered a Bluetooth key. When Google announced its Titan key, Yubico said that it had previously explored launching its own Bluetooth Low Energy (BLE) key but that “BLE does not provide the security assurance levels of NFC and USB.” Google’s struggles seemingly vindicated Yubico’s approach of focusing on USB and NFC rather than Bluetooth.
Yubico从未提供过蓝牙密钥。 当Google宣布其Titan钥匙时, Yubico表示曾尝试开发自己的蓝牙低功耗(BLE)钥匙,但“ BLE不提供NFC和USB的安全保证等级。” 谷歌的努力似乎证明了尤比科专注于USB和NFC而不是蓝牙的方法。
Both Google and Yubico recalled and replaced affected keys for free.
Google和Yubico都免费召回并更换了受影响的密钥。
我们仍然推荐这些键吗? (Do We Still Recommend These Keys?)
Despite the flaws and recalls, we do still recommend physical security keys. Yubico experienced an issue with randomness in one line of products specifically for the government and replaced it. Google ran into trouble with Bluetooth, but even that problem could only be exploited by attackers within 30 feet of you. Even a flawed Bluetooth Titan key definitely protected you from remote attackers.
尽管存在缺陷和召回,但我们仍然建议您使用物理安全密钥。 尤比科(Yubico)在专为政府设计的一系列产品中遇到了随机性问题,并予以取代。 Google在使用蓝牙时遇到了麻烦,但是即使这个问题也只能被您30英尺范围内的攻击者利用。 即使是有缺陷的Bluetooth Titan锁,也绝对可以保护您免受远程攻击者的侵害。
These keys still meet high standards of security. The fact that both Yubico and Google are proactively disclosing flaws and offering free replacements of affected hardware is encouraging. The problems have never affected any standard USB or NFC-based security keys for regular consumers.
这些密钥仍然符合高安全性标准。 Yubico和Google都在积极披露缺陷并免费提供受影响硬件的替代品,这一事实令人鼓舞。 对于普通消费者而言,这些问题从未影响过任何基于USB或NFC的标准安全密钥。
The biggest problem with these keys is the problem with all two-factor authentication. With most online services, you can simply use a less-secure method like SMS to remove the security key. An attacker who pulled off a phone port-out scam could gain access to your account even if you have a physical key attached. Only very high-security services—like Google’s Advanced Protection program—can protect you against that.
这些密钥的最大问题是所有两因素身份验证的问题。 对于大多数在线服务,您可以简单地使用不太安全的方法(例如SMS)来删除安全密钥 。 即使您连接了物理密钥,攻击者也可能通过盗取电话出口欺诈来获得对您帐户的访问权限。 只有极高安全性的服务(例如Google的Advanced Protection程序)才能保护您免受此侵害。
翻译自: https://www.howtogeek.com/425037/hardware-security-keys-keep-getting-recalled-are-they-safe/
安全技术 密钥安全
1345
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
