Yubico Forum

Re: HUGE security vulnerability with Yubikey?

2011-02-16T13:16:39+01:00

Yep, simple solution. I did this with my OpenID server, the patch for it has been sent to the Community-ID bug tracker.

Basically when you register for Community-ID, you initially do it using password authentication. Then, when you've activated the account you have the option of enabling YubiKey authentication (single-factor). I extended this to provide two-factor... the prefix of the key for each user is in the database, it takes the length of this, adds 32 to it, and feeds that into substr a couple of times to split user password from OTP.

I'll probably look into doing this with YubiPAM if I can't get challenge-response auth going, as this will allow two-factor authentication with slightly-broken PAM clients such as KDM.

Statistics: Posted by Redhatter — Wed Feb 16, 2011 1:16 pm

Re: HUGE security vulnerability with Yubikey?

2011-02-05T19:06:09+01:00

Excellent idea, why didn't I think of this- we do it at work with our Verisign keys.

Yep, huge brainfart there. Thanks!

Statistics: Posted by Jafo_Jeeper — Sat Feb 05, 2011 7:06 pm

Re: HUGE security vulnerability with Yubikey?

2011-02-05T17:14:02+01:00

To add a cheap second factor in cases like truecrypt that need a static password, there is a very easy way.

Type in a PIN code first before tapping the yubikey. Now each part (PIN, yubikey) is useless without the other, because the real truecrypt password is a combination of them.

Statistics: Posted by ferrix — Sat Feb 05, 2011 5:14 pm

Re: HUGE security vulnerability with Yubikey?

2011-02-05T16:55:34+01:00

I know security engineering, thank you very much... not all of it, but none of us know everything.

Here's the thing- with Truecrypt, to use the Yubikey as the pass to an encrypted volume, it can store and submit a 64-digit static password.

That static password is, hello, static.

There is nothing else required to decrypt the system partition in the case of an encrypted system partition- no username, other password, nothing.

therefore, anyone that can lay hands on that yubikey and insert it in the USB slot on that machine can decrypt the volume.

Statistics: Posted by Jafo_Jeeper — Sat Feb 05, 2011 4:55 pm

Re: HUGE security vulnerability with Yubikey?

2011-02-05T09:44:59+01:00

Jafo_Jeeper wrote:

OK, I am brand-new to Yubikey...

I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on...

However, I am seeing that is apparently not correct.

So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then.

Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive.

It is not a security issue because nowhere does it say that it scans your fingerprint. It is meant to be used together with a username and a password i.e. something you know and something you have. You better read up on security engineering...
//A

Statistics: Posted by andlil — Sat Feb 05, 2011 9:44 am

HUGE security vulnerability with Yubikey?

2011-02-05T01:41:12+01:00

Statistics: Posted by Jafo_Jeeper — Sat Feb 05, 2011 1:41 am