安全技術 密鑰安全

Cameron Summerson卡梅倫·薩默森(Cameron Summerson)

We recommend hardware security keys like Yubico’s YubiKeys and Google’s Titan Security Key. But both manufacturers have recently recalled keys due to hardware flaws, and that sounds a little worrying. What’s the problem? Are these keys still safe?

我們建議使用硬件安全密鑰，例如Yubico的YubiKeys和Google的Titan安全密鑰 。 但是兩家制造商最近都因硬件缺陷而召回了鑰匙，這聽起來有些令人擔憂。 有什么問題？ 這些鑰匙仍然安全嗎？

什么是硬件安全密鑰？ (What Are Hardware Security Keys?)

Physical security keys like Google’s Titan Security Key and Yubico’s YubiKeys use the WebAuthn standard, the successor to U2F, to help protect your accounts. They function as another type of two-factor authentication: Rather than a code you type in, it’s a physical security key you insert into a USB port—or it can communicate wirelessly via NFC (near-field communication) or Bluetooth.

諸如Google的Titan安全密鑰和Yubico的YubiKeys之類的物理安全密鑰使用WebAuthn標準( U2F的繼承者)來幫助保護您的帳戶。 它們充當另一種兩因素身份驗證的功能 ：它是您插入USB端口中的物理安全密鑰，而不是您輸入的代碼，或者可以通過NFC(近場通信)或藍牙進行無線通信 。

You can use your key as a hardware security token to sign into accounts like your Google, Facebook, Dropbox, and GitHub accounts. With Google’s optional Advanced Protection program, you can even require a physical security key to log into your account.

您可以將密鑰用作硬件安全令牌來登錄Google，Facebook，Dropbox和GitHub等帳戶。 使用Google的可選高級保護程序，您甚至可以要求使用物理安全密鑰來登錄帳戶。

為什么Google和Yubico召回了鑰匙？ (Why Have Google and Yubico Recalled Keys?)

Yubico尤比科

Both Yubico and Google have been in the news lately. Each has had to recall some security keys due to hardware flaws.

Yubico和Google最近都在新聞中。 由于硬件缺陷，每個人都必須召回一些安全密鑰。

Yubico’s issue only affects YubiKey FIPS Series devices—not any consumer devices.?As Yubico’s security advisory explains, these keys have insufficient randomness after device powerup, which could make their encryption vulnerable. These devices are just for government agencies and contractors—we don’t recommend FIPS?unless you’re legally required to use it. Yubico isn’t aware of any attacks that have abused this, but the company is proactively replacing affected devices.

Yubico的問題僅影響YubiKey FIPS系列設備，而不影響任何消費類設備。 正如Yubico的安全公告所解釋的那樣，設備啟動后，這些密鑰的隨機性不足，這可能會使它們的加密容易受到攻擊。 這些設備僅適用于政府機構和承包商-除非法律要求您使用FIPS，否則我們不建議您使用FIPS 。 Yubico尚不知道有任何濫用它的攻擊，但該公司正在積極更換受影響的設備。

Google’s Titan Security Key problem, which led to a recall and replacement of affected keys, was worse. The Bluetooth version of the Titan Security Key, which uses Bluetooth Low Energy to communicate wirelessly, was vulnerable to attack due to what Google called a “misconfiguration.” An attacker within 30 feet of someone using a security key to sign in could exploit the flaw to sign into their account. Or, the attacker could trick the person’s computer into pairing with a different Bluetooth dongle rather than the security key. The vulnerability also affects Feitan security keys—Feitan is the company manufacturing the Titan keys for Google.

Google的Titan安全密鑰問題導致召回和更換受影響的密鑰，情況更加嚴重。 泰坦安全密鑰的藍牙版本使用低功耗藍牙進行無線通信，由于Google稱之為“ 配置錯誤 ”，因此很容易受到攻擊。 使用安全密鑰登錄的人附近30英尺內的攻擊者可能會利用該漏洞登錄他們的帳戶。 或者，攻擊者可能誘使該人的計算機與其他藍牙軟件狗而不是安全密鑰配對。 該漏洞也會影響Feitan安全密鑰-Feeitan是為Google生產Titan密鑰的公司。

Microsoft has also rolled out a?Windows update that will prevent these vulnerable Google Titan and Feitan keys from pairing with Windows 10 and Windows 8.1 via Bluetooth.

微軟還推出了Windows更新 ，將阻止這些易受攻擊的Google Titan和Feitan密鑰通過藍牙與Windows 10和Windows 8.1配對。

Yubico never offered a Bluetooth key. When Google announced its Titan key, Yubico said that it had previously explored launching its own Bluetooth Low Energy (BLE) key but that “BLE does not provide the security assurance levels of NFC and USB.” Google’s struggles seemingly vindicated Yubico’s approach of focusing on USB and NFC rather than Bluetooth.

Yubico從未提供過藍牙密鑰。 當Google宣布其Titan鑰匙時， Yubico表示曾嘗試開發自己的藍牙低功耗(BLE)鑰匙，但“ BLE不提供NFC和USB的安全保證等級。” 谷歌的努力似乎證明了尤比科專注于USB和NFC而不是藍牙的方法。

Both Google and Yubico recalled and replaced affected keys for free.

Google和Yubico都免費召回并更換了受影響的密鑰。

我們仍然推薦這些鍵嗎？ (Do We Still Recommend These Keys?)

Despite the flaws and recalls, we do still recommend physical security keys. Yubico experienced an issue with randomness in one line of products specifically for the government and replaced it. Google ran into trouble with Bluetooth, but even that problem could only be exploited by attackers within 30 feet of you. Even a flawed Bluetooth Titan key definitely protected you from remote attackers.

盡管存在缺陷和召回，但我們仍然建議您使用物理安全密鑰。 尤比科(Yubico)在專為政府設計的一系列產品中遇到了隨機性問題，并予以取代。 Google在使用藍牙時遇到了麻煩，但是即使這個問題也只能被您30英尺范圍內的攻擊者利用。 即使是有缺陷的Bluetooth Titan鎖，也絕對可以保護您免受遠程攻擊者的侵害。

These keys still meet high standards of security. The fact that both Yubico and Google are proactively disclosing flaws and offering free replacements of affected hardware is encouraging. The problems have never affected any standard USB or NFC-based security keys for regular consumers.

這些密鑰仍然符合高安全性標準。 Yubico和Google都在積極披露缺陷并免費提供受影響硬件的替代品，這一事實令人鼓舞。 對于普通消費者而言，這些問題從未影響過任何基于USB或NFC的標準安全密鑰。

The biggest problem with these keys is the problem with all two-factor authentication. With most online services, you can simply use a less-secure method like SMS to remove the security key. An attacker who pulled off a phone port-out scam could gain access to your account even if you have a physical key attached. Only very high-security services—like Google’s Advanced Protection program—can protect you against that.

這些密鑰的最大問題是所有兩因素身份驗證的問題。 對于大多數在線服務，您可以簡單地使用不太安全的方法(例如SMS)來刪除安全密鑰 。 即使您連接了物理密鑰，攻擊者也可能通過盜取電話出口欺詐來獲得對您帳戶的訪問權限。 只有極高安全性的服務(例如Google的Advanced Protection程序)才能保護您免受此侵害。

翻譯自: https://www.howtogeek.com/425037/hardware-security-keys-keep-getting-recalled-are-they-safe/

安全技術 密鑰安全

總結

以上是生活随笔為你收集整理的安全技术 密钥安全_硬件安全密钥不断被人们追忆； 他们安全吗？的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。