Yubico Forum

Re: AES Key Distribution, how do you want it?

2008-09-13T06:40:45+01:00

Robert & Phil,

Agreed fully!

Thanks

Statistics: Posted by paul — Sat Sep 13, 2008 6:40 am

Re: AES Key Distribution, how do you want it?

2008-09-13T14:14:25+01:00

Massyn wrote:

Hi guys,

I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me.

For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem.

Cheers

Phil Massyn

I definitely agree to what Phil said. It can not be that someone can just use one or two OTP's of a YubiKey and get the full AES key. It doesn't matter by what means (https, PGP, etc)! That's just not secure, and we talk about security if we talk about the YubiKey. It would undermine the security of all YubiKey's out there.

The proposal of Phil's is probable a feasible and secure way and it assures that only the receiver of one or a bunch of YubiKey's can get access to the original AES key's. The process described is pretty secure and it addresses single key handling as well as high volume handling with the 'red-key'.

Of course, at the current state it might be that in some exceptions the 'current process' is applied. But for the future, a secure process needs to be implemented.

Statistics: Posted by Robert — Fri Sep 12, 2008 9:32 am

Re: AES Key Distribution, how do you want it?

2008-09-11T19:10:34+01:00

Folks, here is a new way, the web way of doing it here and now:

viewtopic.php?f=5&t=185

Cheers

Statistics: Posted by paul — Thu Sep 11, 2008 7:10 pm

Re: AES Key Distribution, how do you want it?

2008-08-01T00:37:41+01:00

paul wrote:

Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com

Cheres

Ok, thank you. I've just sent the email.

Statistics: Posted by pablot — Fri Aug 01, 2008 12:37 am

Re: AES Key Distribution, how do you want it?

2008-07-31T02:33:24+01:00

Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com

Cheres

Statistics: Posted by paul — Thu Jul 31, 2008 2:33 am

Re: AES Key Distribution, how do you want it?

2008-07-30T01:57:40+01:00

Hi Simon, can I send you my GnuPG public key and a couple of OTP from two yubikeys so you can send me an ENCRYPTED email with the two AES keys?

Thank you,
Pablo

PS: please let me know your email address so I can email you.

Statistics: Posted by pablot — Wed Jul 30, 2008 1:57 am

Re: AES Key Distribution, how do you want it?

2008-06-16T16:54:16+01:00

Simon wrote:

To clarify, if anyone wants to get the AES key in their own yubikey, just send me an OTP for your device and we'll take care of it manually.

This thread is about how to do this "properly" in the future.

/Simon

Ops!, I'm sorry, I do want my AES key and have sent you a PM with a OTP of my yubikey.

pablot

Statistics: Posted by pablot — Mon Jun 16, 2008 4:54 pm

Re: AES Key Distribution, how do you want it?

2008-06-16T03:21:58+01:00

Statistics: Posted by Massyn — Mon Jun 16, 2008 3:21 am

Re: AES Key Distribution, how do you want it?

2008-06-15T23:53:30+01:00

Statistics: Posted by Simon — Sun Jun 15, 2008 11:53 pm

Re: AES Key Distribution, how do you want it?

2008-06-15T15:17:16+01:00

While the https web page is a very convenient solution, I think the email/OpenPGP solution is secure, practical and fast option in order to get our keys fast, while a better solution is developed.

Personally I would love to get my AES key as soon as possible because I cannot make any developement without loosing my actual key and all the yubico online services.

Please consider the email/OpenPGP in the meantime. By the way, can I get my AES key NOW by any other method?. I now, I'm a bit anxious!

Statistics: Posted by pablot — Sun Jun 15, 2008 3:17 pm

Re: AES Key Distribution, how do you want it?

2008-06-11T16:44:36+01:00

Simon wrote:

You missed the part about requiring to enter a password or code, set at purchase or generated and provided by mail with the keys themselves, to verify that the one logging in with the key is the same person as the one who made te purchase. That solves that security issue and will not allow anyone with only the yubikey to retrieve the key.

Statistics: Posted by Gerco — Wed Jun 11, 2008 4:44 pm

Re: AES Key Distribution, how do you want it?

2008-06-10T00:44:28+01:00

You only need to download the file with AES keys once (for a batch), so could it not be possible to allow only one successful https download?

In the case some black hat manage to borrow a YubiKey from you before you did get chance to download yours you will know since you can not get the AES keys.

Statistics: Posted by aha42 — Tue Jun 10, 2008 12:44 am

Re: AES Key Distribution, how do you want it?

2008-06-09T08:31:31+01:00

We are somewhat skeptic to the web service approach for AES key distribution, since it means that anyone who gets hold of your yubikey for a minute or two can retrieve the AES key for it. Not good for security... I do understand it is the best for quick testing though.

Right now we don't have easy access to connect the yubikey OTP with the e-mail of the person who bought it, so we can't do an automated e-mail ping either. But we could fix this, but it will increase time&costs at personalization time for us.

/Simon

Statistics: Posted by Simon — Mon Jun 09, 2008 8:31 am

Re: AES Key Distribution, how do you want it?

2008-06-06T03:27:55+01:00

I like the simple HTTPS page for small orders too. Seems like it would be the easiest and cheapest to implement and require the least amount of maintenance once the system is up and running.

If having the keys available on an internet accessible web server is not an option due to security reasons, then I would vote for the 1st suggested option of the OpenPGP protected text file being sent via email. I don't favor the CD option because I have received CD/DVDs in the mail and they sometimes arrive broken or scratched and this is when they are mailed to me from a place close to me. I have a feeling the odds of a CD arriving to me damaged when shipped from the other side of the world will be greater.

Statistics: Posted by James — Fri Jun 06, 2008 3:27 am

Re: AES Key Distribution, how do you want it?

2008-06-05T20:40:08+01:00

Yes HTTPS webpage would be nice.
And very easy to implement

Statistics: Posted by Henrik.Schack — Thu Jun 05, 2008 8:40 pm