Yubico Forum ...visit our web-store at 2008-09-02T18:29:40+01:00 https://forum.yubico.com/feed.php?f=8&t=155 2008-09-02T18:29:40+01:00 2008-09-02T18:29:40+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=635#p635 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Simon wrote:

You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it.


It's a nice idea Simon, but for us windows programmers.. the personalization COM app doesn't work in Vista and there's no source code released for it.

(I'll just keep posting about it until someone at yubico finally answers :)

Statistics: Posted by ferrix — Tue Sep 02, 2008 6:29 pm

]]> 2008-09-02T10:40:06+01:00 2008-09-02T10:40:06+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=628#p628 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Rohos wrote:

Simon wrote:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon



1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...

I agree that its more secure since the OTP goto server to expire immideately.

2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.

Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?


The API would be the same as for verifying an OTP: if you send any OTP to our server (even if you used to authenticate locally) it will be expired globally.

However, it is problematic to have two servers generally, so I would recommend that offline verification is always used against an AES key that isn't known to our server. You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it. Then it is only usable for Windows login, but that is the tradeoff.

/Simon

Statistics: Posted by Simon — Tue Sep 02, 2008 10:40 am

]]> 2008-08-26T10:26:46+01:00 2008-08-26T10:26:46+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=596#p596 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Simon wrote:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon



1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...

I agree that its more secure since the OTP goto server to expire immideately.

2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.

Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?

Statistics: Posted by Rohos — Tue Aug 26, 2008 10:26 am

]]> 2008-08-20T08:02:26+01:00 2008-08-20T08:02:26+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=574#p574 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Statistics: Posted by caitsith6502 — Wed Aug 20, 2008 8:02 am

]]> 2008-08-19T15:27:41+01:00 2008-08-19T15:27:41+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=571#p571 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> PatrickN wrote:

Simon wrote:
2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.


Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP.

How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access.


First, let's restate the problem: The problem is that if you validate an OTP using the same AES key that api.yubico.com uses, the OTP you verify will be re-usable again on the api.yubico.com server. It will also be reusable on any other system that also validate OTPs based on the AES key. The reason is that the counter values aren't synchronized.

The simplest solution is to only permit the YubiKey to be used for Windows login. Nothing else. Then you can use our personalization software to write a new AES key into your Yubikey, and configure your Windows login software to use that AES key. Your software needs to remember the counter values, so that you can't replay an OTP against it. However, since it is the only software that validates the OTPs, no synchronization is needed.

There aren't any really good solutions to synchronize OTPs. You could make the Windows login software send the used OTPs to api.yubico.com when it becomes online, but there is a time window when someone could use these tokens if they could get access to them. There is also the security problem of having the AES key stored on your Windows platform, which is hardly immune to Trojans etc. If your AES key is compromised, someone can impersonate you on any service that supports Yubikey.

/Simon

Statistics: Posted by Simon — Tue Aug 19, 2008 3:27 pm

]]> 2008-08-19T14:54:44+01:00 2008-08-19T14:54:44+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=562#p562 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Simon wrote:

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.


Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP.

How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access.

Statistics: Posted by PatrickN — Tue Aug 19, 2008 2:54 pm

]]> 2008-08-19T14:25:15+01:00 2008-08-19T14:25:15+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=557#p557 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Rohos wrote:

gmik wrote:
---------

Rohos wrote:
Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:

3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------


Sorry, it doesnt now. But we can do it if community will insist :)


I think it would be an excellent addition for your software, and would make more people interested in it.

I believe you could have two modes:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon

Statistics: Posted by Simon — Tue Aug 19, 2008 2:25 pm

]]> 2008-08-06T14:36:48+01:00 2008-08-06T14:36:48+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=532#p532 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Snow wrote:

When will it support Vista? When will it support Mac & KeyChain? Do you plan to go open source on this project?

Thanks for the good work!


Today we published new update with Windows Vista (x64/x86) support.
As for Mac's, I think we will make it in Octomber, as now we are making wireless lock by using Bluetooth enabled mobile...

Statistics: Posted by Rohos — Wed Aug 06, 2008 2:36 pm

]]> 2008-08-06T14:34:42+01:00 2008-08-06T14:34:42+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=531#p531 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> gmik wrote:

---------

Rohos wrote:
Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:

3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------


Sorry, it doesnt now. But we can do it if community will insist :)

Statistics: Posted by Rohos — Wed Aug 06, 2008 2:34 pm

]]> 2008-08-06T13:41:27+01:00 2008-08-06T13:41:27+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=529#p529 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]>
Rohos wrote:

Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:

3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------

Statistics: Posted by gmik — Wed Aug 06, 2008 1:41 pm

]]> 2008-08-04T21:41:12+01:00 2008-08-04T21:41:12+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=521#p521 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]>
Thanks for the good work!

Statistics: Posted by Snow — Mon Aug 04, 2008 9:41 pm

]]> 2008-08-04T15:44:51+01:00 2008-08-04T15:44:51+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=518#p518 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> Statistics: Posted by Rohos — Mon Aug 04, 2008 3:44 pm

]]> 2008-08-01T15:46:51+01:00 2008-08-01T15:46:51+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=512#p512 <![CDATA[Re: Rohos Logon. Windows Login with YubiKey]]> does this work in dynamic otp mode?
---------

Statistics: Posted by gmik — Fri Aug 01, 2008 3:46 pm

]]> 2008-08-01T08:44:29+01:00 2008-08-01T08:44:29+01:00 https://forum.yubico.com/viewtopic.php?t=155&p=509#p509 <![CDATA[Rohos Logon. Windows Login with YubiKey]]>
Let me introduce Rohos Logon Key with YubiKey support:
http://www.rohos.com/yubikey.htm

At the moment only Windows XP (x86/x64) are tested. Vista support in progress. Mac OS X login in development plans.

Your feedback will be appreciated.

Alex Silonosov.
Rohos.com CEO.

Statistics: Posted by Rohos — Fri Aug 01, 2008 8:44 am

]]>