The Yubikey

David Page Director The OTOBAS Group Pty. Ltd. BarCamp Canberra 28 March 2009

Content  Background to Authentication  OpenID – centralised identity management  Identity Theft  Multi-factor Authentication  The Yubikey  Useful Links

Background to Authentication  What is Authentication?  From the Greek, meaning real or genuine  the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true  Why Authenticate?  Restrict access to resources (log on to laptop)  Identify user contributions (comments on a blog)  Non repudiation (e.g. tax lodgements)

Background to Authentication  Authentication Factors  the ownership factors: Something the user has  the knowledge factors: Something the user knows  the inherence factors: Something the user is or does E.g. Fingerprint, retina voice 

Background to Authentication  How to Authenticate  Single factor E.g. user id and password   Multi factor E.g. Bank EFTPOS card and pin   Captchas – authenticating that you are human!

Background to Authentication  Establishing Credentials  Simple registration – e.g. Google, TrueCrypt  Self certification – e.g. web site certificate for SSL  Trust chains – e.g. PGP certificates  3rd party certification – e.g. VeriSign

Problems  Problem #1: managing all the types of authentication  E.g. multiple PINs, multiple user ids and passwords  Problem: #2: identify theft  E.g. keystroke loggers, phishing attacks, dumpster diving, lost laptop

OpenID  http://openid.net/  Single point of authority for user credentials  A bit like PayPal is for your credit card/bank details  Already supported by a range of major providers  E.g. Yahoo, Flickr, Blogger, Google, Wordpress, LiveJournal, AOL, VeriSign  You can also set up your own OpenID Server  Demo – VeriSign Personal Identity Page  Solves the first problem (multiple accounts), but not the second (identity theft)

Identity Theft  Has become an increasing problem  Physical access compromised (e.g. lost laptop)  Brute force (eg. dictionary) attacks  Credit card details poorly protected by 3rd parties  Keystroke loggers in malware  “Clickjacking”  Social engineering  Higher security access requires stronger authentication – e.g. multi-factor

Multi-factor Authentication  Typically two-factor is “something you have” and “something you know”, e.g. EFTPOS card and PIN  But need to consider replay attacks, e.g. credit card and security code is NOT true two-factor  RSA, SecurID one-time password token (e.g. PayPal)  Mobile phone SMS codes  But can be difficult/expensive to implement and integrate

Multi-factor Authentication  Really secure access (e.g. physical access to a data centre), may warrant three-factor authentication  Something you have, something you know, and something you are, e.g. userid, password and fingerprint  Biometric authentication is increasing in popularity  Fingerprint can serve both as WHO you are as well as WHAT you are  Cost of implementation coming down, integrated devices becoming more common  But not available everywhere as yet, particularly in legacy devices

Enter the YubiKey  Made by a Swedish company – http://yubico.com  Acts like a USB keyboard - supports most computers  Generates a fixed userid and a one-time password  Can also generate a fixed long/complex password  Very small form factor – easy/cheap to deploy  Yubico can authenticate you via OpenID or via free open source web service clients  Open source authentication servers are provided free  Java, C, PHP, Python, Perl, PAM (Linux)

YubiKey – How it Works  YubiKeys contain a 128-bit AES key, initially set by Yubico  AES is a symmetric cypher, not public/private key  You can generate your own AES key  When the button is pressed, the YubiKey generates a 44 character string consisting of:  A fixed userid (12 characters)  A one-time password (32 characters)  300,000,000,000,000,000,000,000,000,000,000,000,000 (3*10**38) combinations  Can also be configured to navigate to a specific web site and authenticate with one button press (Windows only at present)

YubiKey – How it Works  User id (12 characters):  vvuelcnnljrd  One-Time Password (32 characters):  brihhlvhgbcnlufjlvnuirudeunknlkn  Characters are encoded in ModHex for compatability  Sample output:  vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnh  vvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdf  vvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg

YubiKey – How it Works  The AES key is used to encrypt a set of data for the OTP:  A hidden identity field to verify the decrypted result  A volatile counter , incremented by one for each code that has been generated. The code is reset at each power-up  A non-volatile counter , incremented by one for each power- up event. The value of this counter is preserved even when power is lost  A non-predictable counter value is fed by a time-base that is highly device and session dependent.  A random seed  A simple checksum

YubiKey Features  Can operate in single or two-factor mode  Just rely on embedded userid and one-time password (operates as “something you have”)  Add either separate userid and/or password to embedded userid and OTP (operates as “something you have” and “something you know”)  YubiKey Demo  Mashed Life Demo

YubiKey – Other Features  “One time pad” approach means no time-based sync  Hardware based solution means proof against trojans (unlike software based solutions)  No battery to run down (unlike RSA key)  No time limit (unlike certificate-based solutions)  Small form factor (easy to ship/carry)  Fast and easy to use – lower user resistance  Low cost (approx $US25 one off, $US10 in quantity)

Useful Links  Yubico  Yubico Twitter Feed  YubiKey Security Analysis  Steve Gibson talking about YubiKey  AES Encryption  Mashed Life

The Yubikey

by David Page on Mar 27, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 2

Statistics

The Yubikey — Presentation Transcript