Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

My first week with a Yubikey

  • 07-09-2014 9:43pm
    #1
    Closed Accounts Posts: 1,004 ✭✭✭


    black_single.jpg

    Dear all,

    My Yubikey arrived on Tuesday, thought I'd provide a brief summary of my time with it here.

    For anyone not familiar with the way the Yubikey operates, there's an excellent summary on the Arch Linux Wiki.

    To quote the Wiki directly:

    "... each Yubikey contains a 128-bit AES key, unique to that key. It is used to encrypt a token made of different fields such as the ID of the key, a counter, a random number, etc. The OTP is made from concatenating the ID of the key with this encrypted token.

    This OTP is sent to the target system, to which we want to authenticate. This target system asks a validation server if the OTP is good. The validation server has a mapping of Yubikey IDs -> AES key. Using the key ID in the OTP, it can thus retrieve the AES key and decrypt the other part of the OTP. If it looks OK (plain-text ID and encrypted ID are the same, the counter is bigger than the last seen one to prevent replay attacks...), then authentication is successful."


    The validation server can be Yubico's own, as is the case if you decide to make use of the Lastpass service to store your passwords. You can then use a password in combination with the token generated by the Yubikey to log in and in the case of Lastpass, retrieve your list of passwords.


    You can also create your own validation server if you wish. This is brilliant if you have a server and want to log in via SSH as it allows for two factor authentication.



    The key comes with two slots, so the other can be programmed with a static password, ideally a long 32 bit one. This can be used either on its own or with another password of your choosing to encrypt a drive. So far I've used the key to bolster the password I use to unlock my hard drive and am very happy.


    There is a cross platform Personalization Tool for the key. I had difficulties getting this to run on my machine which runs Debian Wheezy but it worked like a charm on my iMac.


    My only real concerns are what to do if the key is seized by a government grunt as it'll spew out a password just as happily for them as it will for you.


    Would be interested in hearing the thoughts of anyone else who's used these, or if not, why.






Comments

  • Registered Users Posts: 1,193 ✭✭✭liamo


    Hi

    Here are a few uses to which I have put YubiKeys.

    I've just introduced YubiKeys in work for most of our staff. We use a product called ScreenConnect for delivering support to our many customers and it can add YubiKey as a second authentication factor (in addition to username/password). The setup is a breeze and "it just works".

    We have an SSH service running on one of our public IPs for remote access for Admins. I've recently modified that to require a YubiKey OTP in addition to username/password. That really locks it down.

    I'm also considering introducing YubiKeys for use with our OpenVPN installation. I know there were some problems a few years ago with the length of the password that the OpenVPN GUI would accept, whereby any more than 48 characters would be truncated which effectively meant that your password could only be 4 characters followed by YubiKey's 44 characters. I believe that has been fixed but I need to set up a new VM with OpenVPN to test it out.

    The above services all require Internet to be present so if we lose Internet for whatever reason we'll be completely without the services as opposed to being without the services because we can't complete the YubiKey authentication against the YubiCloud.

    The next step is to introduce our own authentication server so that I can consider introducing 2FA for our LAN services.

    I had a static password in slot 2 of my own YubiKey but I reset it back to a OTP because the static password feature doesn't really add much security as far as I'm concerned.

    As for someone nabbing the key ... yes, that's a possibility however 2FA prevents the discovery of your username/password being used to access the OTP-protected services. Once the YubiKey falls into the hands of a bad gay then all bets are off. Of course, if someone really, really wants to get at your protected services then there's always the "$5 Wrench Hack" - see here for more info on this.


    Hope the above gives you a few ideas.

    Regards

    Liam


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    You need a self destructing SSD^^

    Literally destroys itself on receipt of pre-defined text.
    The SSD's enclosure features built-in mechanisms that will physically destroy the flash memory chips inside, making the data completely unrecoverable.

    But the drives include other failsafes for protecting your data if you're not able to send the self-destruct text, or don't realize the drive has gone missing. The SecureDrives SSDs can also be programmed to automatically self-destruct when disconnected from a SATAII connector, when the battery is low and someone is trying to circumvent the fail-safe mechanisms, when it's been shielded from a GSM signal for a set period of time, and even after a pre-determined series of finger taps detected through a motion sensor. And all of that works on top of 256-bit AES CBC hardware encryption protecting the actual data.

    It goes without saying these drives will certainly cost far more than your standard SSD, including having to pay for the monthly worldwide GSM service.

    http://gizmodo.com/self-destructing-ssds-will-nuke-themselves-if-you-text-1640733628


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    You need a self destructing SSD^^

    Literally destroys itself on receipt of pre-defined text.



    http://gizmodo.com/self-destructing-ssds-will-nuke-themselves-if-you-text-1640733628

    Very exciting RF, many thanks! I'd been hoping my software Dead Man's Switch might be better for those on a budget but this takes the cake! :)


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Very exciting RF, many thanks! I'd been hoping my software Dead Man's Switch might be better for those on a budget but this takes the cake! :)
    I was gonna put it in a new thread named after you when I spotted it. :D


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    I was gonna put it in a new thread named after you when I spotted it. :D

    Hi RF,

    Just read the review on the website last night ; very exciting. I like the idea that you can set it to self destruct if it loses access to the GSM network.

    At just over £1,000 it's a little steep but from then it's only £29 a year - also, can you put a price on your privacy? :-D


  • Advertisement
  • Registered Users Posts: 1,667 ✭✭✭Impetus


    I've had once since Stina Ehrensvärd first launched the Yubikey. But I have never used it for anything serious - fearing that if one lost the key, one could not access data. It is just a USB device that squirts an alpha-numeric code into a PC that makes it look as if it was keyboard entered.

    The device has potential.... but

    You always need a backup. They should be available in pairs that are identical and create identical codes. One could then resort to the spare in the event of loss or damage to the main Yubikey.

    I wouldn't buy a car if the manufacturer only supplied one set of keys either. Mercedes Benz give one two regular keys, and a spare flat key that one can put in a wallet that has all the functionality of a regular key. Which is two backups to the main key.

    http://www.yubico.com


  • Registered Users Posts: 1,193 ✭✭✭liamo


    A clone of a YubiKey is one solution. However, if you can clone a YubiKey once, what's to stop someone cloning it again without your knowledge? I prefer the uniqueness of the current YubiKey.

    The car-key analogy only works if the YubiKey is only going to be used for storing static passwords. The unique ID plus one-time-password is the main purpose of the YubiKey as sold.

    The correct solution is for applications to be able to handle multiple YubiKeys. My ssh setup allows me to set multiple YubiKey IDs for use against my account. To my mind, that's the correct way to do it.


    Impetus wrote: »
    I've had once since Stina Ehrensvärd first launched the Yubikey. But I have never used it for anything serious - fearing that if one lost the key, one could not access data. It is just a USB device that squirts an alpha-numeric code into a PC that makes it look as if it was keyboard entered.

    The device has potential.... but

    You always need a backup. They should be available in pairs that are identical and create identical codes. One could then resort to the spare in the event of loss or damage to the main Yubikey.

    I wouldn't buy a car if the manufacturer only supplied one set of keys either. Mercedes Benz give one two regular keys, and a spare flat key that one can put in a wallet that has all the functionality of a regular key. Which is two backups to the main key.

    http://www.yubico.com


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Impetus wrote: »
    I've had once since Stina Ehrensvärd first launched the Yubikey. But I have never used it for anything serious - fearing that if one lost the key, one could not access data. It is just a USB device that squirts an alpha-numeric code into a PC that makes it look as if it was keyboard entered.

    The device has potential.... but

    You always need a backup. They should be available in pairs that are identical and create identical codes. One could then resort to the spare in the event of loss or damage to the main Yubikey.

    I wouldn't buy a car if the manufacturer only supplied one set of keys either. Mercedes Benz give one two regular keys, and a spare flat key that one can put in a wallet that has all the functionality of a regular key. Which is two backups to the main key.

    http://www.yubico.com

    Hi Impetus,

    I agree with you that can be a worry! Personally I'm making use of the static password, although as Liam says you can associate more than one Yubikey with your account.

    For my actual laptop I don't bother backing up the key as all my personal documents are saved to SpiderOak (of course I have to trust that SpiderOak are in fact encrypting the data!)

    As for the other static password, you can write this down somewhere if you wish ; I use a couple of hand ciphers to scramble it from prying eyes, I'm sure with a little imagination anyone could do the same.

    Of course there's no reason you have to use the Yubikey if 2 factor authentication is your thing. Any fool with Linux can put a keyfile on a USB drive, I just like the "write only" nature of the key.


  • Registered Users Posts: 1,193 ✭✭✭liamo


    I was putting a little thought into what Impetus was saying the consequences of the loss of his YubiKey and was wondering why one couldn't simply get an app to generate a OTP if the key pair was known.

    I do believe that the key pair can be downloaded from YubiCo, if necessary. I haven't looked into this myself, I just remember reading about it recently.

    I did a quick Google on the subject and the first thing I found was some research on the extraction of the RSA key from the YubiKey

    Given the above, it's probably possible to have an app on your cellphone that could generate valid OTPs for use against YubiCloud.

    Once you do that, it could be argued that a YubiKey-protected service only has the same level of protection as two-step authentication (SMS being the second step).

    Just my ramblings on the subject.

    Edit:
    It could also be argued that there's not much difference between two-step and two-factor authentication. For example, what's the difference to being able to receive an SMS on your phone with a OTP for entry and an app on your phone that calculates it for you?

    Of course, your RSA keys could be copied off your phone without your knowledge but you're probably going to notice your YubiKey missing.

    Just some more ramblings. I've changed my mind a few times on this subject over the last 30 minutes or so.


  • Registered Users Posts: 2,809 ✭✭✭edanto


    I've just recently dipped my toe into yubiland by buying a NEO and I plan to use that to authenticate a test account in my 'lab' (can't overstate how simple the build is). On a Synology NAS, I have used the Synology app to set up an LDAP server with test accounts.

    Any ideas where to start with that?

    On a VM in the lab I have a Windows 2012 R2 server, I could start with that, but I'd like to see if I can get an open-source/free directory instead of Active Directory.

    Since this is an old thread, would you all still recommend Yubi?


  • Advertisement
Advertisement