We recently discovered a security problem in the
tkeyclient
Go module used
by several of our client apps. All versions of tkeyclient up to and
including v1.2.0 are affected.
To explain the issue, it helps to first recap how TKey works. It normally uses:
Something you have, the device itself, which has a Unique Device Secret.
The integrity of the software you want to run, the device app.
Optionally something you know, a User Supplied Secret (USS), a string of characters, which can typically be entered on a keyboard or from a file.
The TKey firmware mixes all of these two or three together to create a secret. This secret can be used by the device app to create cryptographic keys.
The vulnerability we found is that some specific User Supplied Secrets were not used (1 out of 256), making the resulting secret the same as if the USS was never provided. This behavior may have led users to believe that a USS was being applied, when in reality it had no effect on the resulting secret.
tkeyclient and the affected client apps have been updated. Please
upgrade at your earliest convenience.
NOTE: If you are affected by the vulnerability your keys will change once you upgrade the app. To get the same keys as before, for instance to register new keys, don’t enter any USS when prompted.
A security advisory has been published for tkeyclient .
For more information on specific client apps, see respective release note.
| app | new version |
|---|---|
| tkey-ssh-agent | v1.1.0 |
| tkey-sign-cli | v1.1.0 |
| tkey-random-generator | v0.0.3 |
| tkey-runapp | v0.0.2 |