David Page
                  Director
The OTOBAS Group Pty. Ltd.
        BarCamp Canberra
            28 March 2009
Content
 Background to Authentication
 OpenID – centralised identity management
 Identity Theft
 Multi-factor Authenti...
Background to Authentication
 What is Authentication?
   From the Greek, meaning real or genuine
   the act of establis...
Background to Authentication
 Authentication Factors
    the ownership factors: Something the user has
    the knowledg...
Background to Authentication
 How to Authenticate
   Single factor
        E.g. user id and password
    

   Multi fa...
Background to Authentication
 Establishing Credentials
    Simple registration – e.g. Google, TrueCrypt
    Self certif...
Problems
 Problem #1: managing all the types of authentication
    E.g. multiple PINs, multiple user ids and passwords
...
OpenID
 http://openid.net/
 Single point of authority for user credentials
    A bit like PayPal is for your credit car...
Identity Theft
 Has become an increasing problem
   Physical access compromised (e.g. lost laptop)
   Brute force (eg. ...
Multi-factor Authentication
 Typically two-factor is “something you have” and
  “something you know”, e.g. EFTPOS card an...
Multi-factor Authentication
 Really secure access (e.g. physical access to a data
  centre), may warrant three-factor aut...
Enter the YubiKey
 Made by a Swedish company – http://yubico.com
 Acts like a USB keyboard - supports most computers
 G...
YubiKey – How it Works
 YubiKeys contain a 128-bit AES key, initially set by Yubico
    AES is a symmetric cypher, not p...
YubiKey – How it Works
 User id (12 characters):
    vvuelcnnljrd
 One-Time Password (32 characters):
    brihhlvhgbcn...
YubiKey – How it Works
 The AES key is used to encrypt a set of data for the OTP:
    A hidden identity field to verify ...
YubiKey Features
 Can operate in single or two-factor mode
    Just rely on embedded userid and one-time password
     (...
YubiKey – Other Features
 “One time pad” approach means no time-based sync
 Hardware based solution means proof against ...
Useful Links
 Yubico
 Yubico Twitter Feed
 YubiKey Security Analysis
 Steve Gibson talking about YubiKey
 AES Encrypt...
The Yubikey
The Yubikey
Upcoming SlideShare
Loading in …5
×

The Yubikey

2,328 views

Published on

Presentation to BarCampCanberra2 on the YubiKey by Yubico

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,328
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
46
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

The Yubikey

  1. 1. David Page Director The OTOBAS Group Pty. Ltd. BarCamp Canberra 28 March 2009
  2. 2. Content  Background to Authentication  OpenID – centralised identity management  Identity Theft  Multi-factor Authentication  The Yubikey  Useful Links
  3. 3. Background to Authentication  What is Authentication?  From the Greek, meaning real or genuine  the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true  Why Authenticate?  Restrict access to resources (log on to laptop)  Identify user contributions (comments on a blog)  Non repudiation (e.g. tax lodgements)
  4. 4. Background to Authentication  Authentication Factors  the ownership factors: Something the user has  the knowledge factors: Something the user knows  the inherence factors: Something the user is or does E.g. Fingerprint, retina voice 
  5. 5. Background to Authentication  How to Authenticate  Single factor E.g. user id and password   Multi factor E.g. Bank EFTPOS card and pin   Captchas – authenticating that you are human!
  6. 6. Background to Authentication  Establishing Credentials  Simple registration – e.g. Google, TrueCrypt  Self certification – e.g. web site certificate for SSL  Trust chains – e.g. PGP certificates  3rd party certification – e.g. VeriSign
  7. 7. Problems  Problem #1: managing all the types of authentication  E.g. multiple PINs, multiple user ids and passwords  Problem: #2: identify theft  E.g. keystroke loggers, phishing attacks, dumpster diving, lost laptop
  8. 8. OpenID  http://openid.net/  Single point of authority for user credentials  A bit like PayPal is for your credit card/bank details  Already supported by a range of major providers  E.g. Yahoo, Flickr, Blogger, Google, Wordpress, LiveJournal, AOL, VeriSign  You can also set up your own OpenID Server  Demo – VeriSign Personal Identity Page  Solves the first problem (multiple accounts), but not the second (identity theft)
  9. 9. Identity Theft  Has become an increasing problem  Physical access compromised (e.g. lost laptop)  Brute force (eg. dictionary) attacks  Credit card details poorly protected by 3rd parties  Keystroke loggers in malware  “Clickjacking”  Social engineering  Higher security access requires stronger authentication – e.g. multi-factor
  10. 10. Multi-factor Authentication  Typically two-factor is “something you have” and “something you know”, e.g. EFTPOS card and PIN  But need to consider replay attacks, e.g. credit card and security code is NOT true two-factor  RSA, SecurID one-time password token (e.g. PayPal)  Mobile phone SMS codes  But can be difficult/expensive to implement and integrate
  11. 11. Multi-factor Authentication  Really secure access (e.g. physical access to a data centre), may warrant three-factor authentication  Something you have, something you know, and something you are, e.g. userid, password and fingerprint  Biometric authentication is increasing in popularity  Fingerprint can serve both as WHO you are as well as WHAT you are  Cost of implementation coming down, integrated devices becoming more common  But not available everywhere as yet, particularly in legacy devices
  12. 12. Enter the YubiKey  Made by a Swedish company – http://yubico.com  Acts like a USB keyboard - supports most computers  Generates a fixed userid and a one-time password  Can also generate a fixed long/complex password  Very small form factor – easy/cheap to deploy  Yubico can authenticate you via OpenID or via free open source web service clients  Open source authentication servers are provided free  Java, C, PHP, Python, Perl, PAM (Linux)
  13. 13. YubiKey – How it Works  YubiKeys contain a 128-bit AES key, initially set by Yubico  AES is a symmetric cypher, not public/private key  You can generate your own AES key  When the button is pressed, the YubiKey generates a 44 character string consisting of:  A fixed userid (12 characters)  A one-time password (32 characters)  300,000,000,000,000,000,000,000,000,000,000,000,000 (3*10**38) combinations  Can also be configured to navigate to a specific web site and authenticate with one button press (Windows only at present)
  14. 14. YubiKey – How it Works  User id (12 characters):  vvuelcnnljrd  One-Time Password (32 characters):  brihhlvhgbcnlufjlvnuirudeunknlkn  Characters are encoded in ModHex for compatability  Sample output:  vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnh  vvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdf  vvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg
  15. 15. YubiKey – How it Works  The AES key is used to encrypt a set of data for the OTP:  A hidden identity field to verify the decrypted result  A volatile counter , incremented by one for each code that has been generated. The code is reset at each power-up  A non-volatile counter , incremented by one for each power- up event. The value of this counter is preserved even when power is lost  A non-predictable counter value is fed by a time-base that is highly device and session dependent.  A random seed  A simple checksum
  16. 16. YubiKey Features  Can operate in single or two-factor mode  Just rely on embedded userid and one-time password (operates as “something you have”)  Add either separate userid and/or password to embedded userid and OTP (operates as “something you have” and “something you know”)  YubiKey Demo  Mashed Life Demo
  17. 17. YubiKey – Other Features  “One time pad” approach means no time-based sync  Hardware based solution means proof against trojans (unlike software based solutions)  No battery to run down (unlike RSA key)  No time limit (unlike certificate-based solutions)  Small form factor (easy to ship/carry)  Fast and easy to use – lower user resistance  Low cost (approx $US25 one off, $US10 in quantity)
  18. 18. Useful Links  Yubico  Yubico Twitter Feed  YubiKey Security Analysis  Steve Gibson talking about YubiKey  AES Encryption  Mashed Life

×