Yubico Forum...visit our web-store at2012-04-08T08:52:11+01:00https://forum.yubico.com/feed.php?f=16&t=7822012-04-08T08:52:11+01:002012-04-08T08:52:11+01:00https://forum.yubico.com/viewtopic.php?t=782&p=2994#p2994<![CDATA[Re: Storing more than 6bytes worth of private data?]]>dbp wrote:
Doing that would be vulnerable to replay attacks, which would be definitely non-optimal. I would like to retain the security of OTPs, but just deliver a slightly larger payload.
How about OTP in slot 1, to mitigate replay attacks, and a static password/encryption key in slot 2?
Statistics: Posted by andlil — Sun Apr 08, 2012 8:52 am
]]>2012-04-07T16:44:17+01:002012-04-07T16:44:17+01:00https://forum.yubico.com/viewtopic.php?t=782&p=2993#p2993<![CDATA[Re: Storing more than 6bytes worth of private data?]]>andlil wrote:
Doing that would be vulnerable to replay attacks, which would be definitely non-optimal. I would like to retain the security of OTPs, but just deliver a slightly larger payload.
Statistics: Posted by dbp — Sat Apr 07, 2012 4:44 pm
]]>2012-04-07T08:33:57+01:002012-04-07T08:33:57+01:00https://forum.yubico.com/viewtopic.php?t=782&p=2992#p2992<![CDATA[Re: Storing more than 6bytes worth of private data?]]>http://www.yubico.com/static-password
Statistics: Posted by andlil — Sat Apr 07, 2012 8:33 am
]]>2012-04-06T20:07:59+01:002012-04-06T20:07:59+01:00https://forum.yubico.com/viewtopic.php?t=782&p=2991#p2991<![CDATA[Storing more than 6bytes worth of private data?]]> But the only private payload that I can send (as far as I can tell) is the private "ID". 6 bytes is 48 bits, which is a little small for an encryption key. So my question is, is there any way of storing more private data? Like can I somehow fix the 16bit random number to be a known constant, yielding 64 bits total (which is still small, but might be enough, at least as a proof of concept).
Anyway, I know this is not exactly what the yubikey is designed for, but I think it could have real potential - as more and more computation is done via the web, the inherent problem of permanently storing decryption keys serverside (or not encrypting data at all, as it is basically equivalent) becomes more of an issue. In theory it is simple to send a decryption key every time you use a service, but for it to be realistic, it has to be practical, and it seems like the yubikey (with just a tiny bit more data) could make this really easy, as it is already capable of sending a tamper-proof secret payload.