Users of YubiKey FIPS Series devices with firmware v4.4.2 or v4.4.4 are at risk. Yubico Security Advisory (2019-06-13) makes it public knowledge that "the first set of random values used by YubiKey FIPS applications after each device power-up have reduced randomness". That is a big deal for organizations that depend upon the security assertions and Common Criteria certification of a products cryptographic capability.
What "reduced randomness" really means is that the Yubico implementation of a non-deterministic random number generator had a design flaw (it has since been fixed). Under a number of different scenarios when operating in FIPS mode the firmware module generated cryptographic keys whose strengths were modified by available entropy. It is that predictable randomness content on start-up that affected:
- RSA key generation - impacted by up to 80 predictable bits out of a minimum of 2048 bits.
- ECDSA signatures - the nonce K became significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures. This could allow an attacker who gains access to several signatures to reconstruct the private key.
- ECC key generation - impacted by up to 80 predictable bits out of the minimum 256 bit key length.
- ECC encryption - 16 bits of the private key becomes known.
The YubiKey 4 Cryptographic Module Security Policy is a good read, but I wish that they had gone in-depth into how the Hardware non-deterministic RNG works because it is important to seeding the FIPS approved functional unit.