The YubiKeyDavid Page
Director The OTOBAS Group Pty. Ltd.
BarCamp Canberra 28 March 2009
ContentBackground to AuthenticationOpenID – centralised identity managementIdentity TheftMulti-factor AuthenticationThe YubikeyUseful Links
Background to AuthenticationWhat is Authentication?
From the Greek, meaning real or genuinethe act of establishing or confirming something
(or someone) as authentic, that is, that claims made by or about the subject are true
Why Authenticate?Restrict access to resources (log on to laptop)Identify user contributions (comments on a
blog)Non repudiation (e.g. tax lodgements)
Background to AuthenticationAuthentication Factors
the ownership factors: Something the user has
the knowledge factors: Something the user knows
the inherence factors: Something the user is or does E.g. Fingerprint, retina voice
Background to AuthenticationHow to Authenticate
Single factor E.g. user id and password
Multi factor E.g. Bank EFTPOS card and pin
Captchas – authenticating that you are human!
Background to AuthenticationEstablishing Credentials
Simple registration – e.g. Google, TrueCryptSelf certification – e.g. web site certificate for
SSLTrust chains – e.g. PGP certificates3rd party certification – e.g. VeriSign
ProblemsProblem #1: managing all the types of
authenticationE.g. multiple PINs, multiple user ids and
passwordsProblem: #2: identify theft
E.g. keystroke loggers, phishing attacks, dumpster diving, lost laptop
OpenIDhttp://openid.net/Single point of authority for user credentials
A bit like PayPal is for your credit card/bank details
Already supported by a range of major providersE.g. Yahoo, Flickr, Blogger, Google, Wordpress,
LiveJournal, AOL, VeriSignYou can also set up your own OpenID ServerDemo – VeriSign Personal Identity PageSolves the first problem (multiple accounts), but
not the second (identity theft)
Identity TheftHas become an increasing problem
Physical access compromised (e.g. lost laptop)Brute force (eg. dictionary) attacksCredit card details poorly protected by 3rd
partiesKeystroke loggers in malware“Clickjacking”Social engineering
Higher security access requires stronger authentication – e.g. multi-factor
Multi-factor AuthenticationTypically two-factor is “something you have”
and “something you know”, e.g. EFTPOS card and PIN
But need to consider replay attacks, e.g. credit card and security code is NOT true two-factorRSA, SecurID one-time password token (e.g.
PayPal)Mobile phone SMS codesBut can be difficult/expensive to implement
and integrate
Multi-factor AuthenticationReally secure access (e.g. physical access to a data
centre), may warrant three-factor authenticationSomething you have, something you know, and
something you are, e.g. userid, password and fingerprint
Biometric authentication is increasing in popularityFingerprint can serve both as WHO you are as well
as WHAT you areCost of implementation coming down, integrated
devices becoming more commonBut not available everywhere as yet, particularly in
legacy devices
Enter the YubiKeyMade by a Swedish company –
http://yubico.comActs like a USB keyboard - supports most
computersGenerates a fixed userid and a one-time
passwordCan also generate a fixed long/complex
passwordVery small form factor – easy/cheap to deployYubico can authenticate you via OpenID or
via free open source web service clientsOpen source authentication servers are
provided freeJava, C, PHP, Python, Perl, PAM (Linux)
YubiKey – How it WorksYubiKeys contain a 128-bit AES key, initially set by
YubicoAES is a symmetric cypher, not public/private keyYou can generate your own AES key
When the button is pressed, the YubiKey generates a 44 character string consisting of:A fixed userid (12 characters)A one-time password (32 characters)
300,000,000,000,000,000,000,000,000,000,000,000,000 (3*10**38) combinations
Can also be configured to navigate to a specific web site and authenticate with one button press (Windows only at present)
YubiKey – How it WorksUser id (12 characters):
vvuelcnnljrdOne-Time Password (32 characters):
brihhlvhgbcnlufjlvnuirudeunknlknCharacters are encoded in ModHex for
compatabilitySample output:
vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnhvvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdfvvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg
YubiKey – How it WorksThe AES key is used to encrypt a set of data for the
OTP: A hidden identity field to verify the decrypted resultA volatile counter , incremented by one for each code
that has been generated. The code is reset at each power-up
A non-volatile counter , incremented by one for each power-up event. The value of this counter is preserved even when power is lost
A non-predictable counter value is fed by a time-base that is highly device and session dependent.
A random seedA simple checksum
YubiKey FeaturesCan operate in single or two-factor mode
Just rely on embedded userid and one-time password (operates as “something you have”)
Add either separate userid and/or password to embedded userid and OTP (operates as “something you have” and “something you know”)
YubiKey DemoMashed Life Demo
YubiKey – Other Features“One time pad” approach means no time-
based syncHardware based solution means proof
against trojans (unlike software based solutions)
No battery to run down (unlike RSA key)No time limit (unlike certificate-based
solutions)Small form factor (easy to ship/carry)Fast and easy to use – lower user resistanceLow cost (approx $US25 one off, $US10 in
quantity)
Useful LinksYubicoYubico Twitter FeedYubiKey Security AnalysisSteve Gibson talking about YubiKeyAES EncryptionMashed Life
Questions?
Top Related