David Page
Director
The OTOBAS Group Pty. Ltd.
BarCamp Canberra
28 March 2009

Content
 Background to Authentication
 OpenID – centralised identity management
 Identity Theft
 Multi-factor Authentication
 The Yubikey
 Useful Links

Background to Authentication
 What is Authentication?
 From the Greek, meaning real or genuine
 the act of establishing or confirming something (or
someone) as authentic, that is, that claims made by or
about the subject are true
 Why Authenticate?
 Restrict access to resources (log on to laptop)
 Identify user contributions (comments on a blog)
 Non repudiation (e.g. tax lodgements)

Background to Authentication
 Authentication Factors
 the ownership factors: Something the user has
 the knowledge factors: Something the user knows
 the inherence factors: Something the user is or does
E.g. Fingerprint, retina voice


Background to Authentication
 How to Authenticate
 Single factor
E.g. user id and password

 Multi factor
E.g. Bank EFTPOS card and pin

 Captchas – authenticating that you are human!

Background to Authentication
 Establishing Credentials
 Simple registration – e.g. Google, TrueCrypt
 Self certification – e.g. web site certificate for SSL
 Trust chains – e.g. PGP certificates
 3rd party certification – e.g. VeriSign

Problems
 Problem #1: managing all the types of authentication
 E.g. multiple PINs, multiple user ids and passwords
 Problem: #2: identify theft
 E.g. keystroke loggers, phishing attacks, dumpster
diving, lost laptop

OpenID
 http://openid.net/
 Single point of authority for user credentials
 A bit like PayPal is for your credit card/bank details
 Already supported by a range of major providers
 E.g. Yahoo, Flickr, Blogger, Google, Wordpress,
LiveJournal, AOL, VeriSign
 You can also set up your own OpenID Server
 Demo – VeriSign Personal Identity Page
 Solves the first problem (multiple accounts), but not
the second (identity theft)

Identity Theft
 Has become an increasing problem
 Physical access compromised (e.g. lost laptop)
 Brute force (eg. dictionary) attacks
 Credit card details poorly protected by 3rd parties
 Keystroke loggers in malware
 “Clickjacking”
 Social engineering
 Higher security access requires stronger
authentication – e.g. multi-factor

Multi-factor Authentication
 Typically two-factor is “something you have” and
“something you know”, e.g. EFTPOS card and PIN
 But need to consider replay attacks, e.g. credit card
and security code is NOT true two-factor
 RSA, SecurID one-time password token (e.g. PayPal)
 Mobile phone SMS codes
 But can be difficult/expensive to implement and
integrate

Multi-factor Authentication
 Really secure access (e.g. physical access to a data
centre), may warrant three-factor authentication
 Something you have, something you know, and
something you are, e.g. userid, password and fingerprint
 Biometric authentication is increasing in popularity
 Fingerprint can serve both as WHO you are as well as
WHAT you are
 Cost of implementation coming down, integrated
devices becoming more common
 But not available everywhere as yet, particularly in
legacy devices

Enter the YubiKey
 Made by a Swedish company – http://yubico.com
 Acts like a USB keyboard - supports most computers
 Generates a fixed userid and a one-time password
 Can also generate a fixed long/complex password
 Very small form factor – easy/cheap to deploy
 Yubico can authenticate you via OpenID or via free
open source web service clients
 Open source authentication servers are provided free
 Java, C, PHP, Python, Perl, PAM (Linux)

YubiKey – How it Works
 YubiKeys contain a 128-bit AES key, initially set by Yubico
 AES is a symmetric cypher, not public/private key
 You can generate your own AES key
 When the button is pressed, the YubiKey generates a 44
character string consisting of:
 A fixed userid (12 characters)
 A one-time password (32 characters)
 300,000,000,000,000,000,000,000,000,000,000,000,000
(3*10**38) combinations
 Can also be configured to navigate to a specific web site and
authenticate with one button press (Windows only at
present)

YubiKey – How it Works
 User id (12 characters):
 vvuelcnnljrd
 One-Time Password (32 characters):
 brihhlvhgbcnlufjlvnuirudeunknlkn
 Characters are encoded in ModHex for compatability
 Sample output:
 vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnh
 vvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdf
 vvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg

YubiKey – How it Works
 The AES key is used to encrypt a set of data for the OTP:
 A hidden identity field to verify the decrypted result
 A volatile counter , incremented by one for each code that has
been generated. The code is reset at each power-up
 A non-volatile counter , incremented by one for each power-
up event. The value of this counter is preserved even when
power is lost
 A non-predictable counter value is fed by a time-base that is
highly device and session dependent.
 A random seed
 A simple checksum

YubiKey Features
 Can operate in single or two-factor mode
 Just rely on embedded userid and one-time password
(operates as “something you have”)
 Add either separate userid and/or password to
embedded userid and OTP (operates as “something you
have” and “something you know”)
 YubiKey Demo
 Mashed Life Demo

YubiKey – Other Features
 “One time pad” approach means no time-based sync
 Hardware based solution means proof against trojans
(unlike software based solutions)
 No battery to run down (unlike RSA key)
 No time limit (unlike certificate-based solutions)
 Small form factor (easy to ship/carry)
 Fast and easy to use – lower user resistance
 Low cost (approx $US25 one off, $US10 in quantity)

Useful Links
 Yubico
 Yubico Twitter Feed
 YubiKey Security Analysis
 Steve Gibson talking about YubiKey
 AES Encryption
 Mashed Life