Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:20 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Jun 16, 2016 9:04 pm 
Offline

Joined: Fri Jan 08, 2016 10:10 pm
Posts: 3
Hello,

Can the Yubikey 4 do SHA2 instead of SHA1 for the HMAC challenge/response? SHA1 is considered insecure nowadays.

Thanks!

EDIT: subject updated to include [QUESTION] tag.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 20, 2016 6:41 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
The attacks on SHA1 have to do with collision resistance. This means that any system relying on collision resistance should no longer be using SHA1. Digital signature schemes typically use a hash function to get a fixed-length value to sign, and that relies very much on collision resistance for security (as the Ars article points out).

However, the challenge-response mechanism in the YubiKey uses HMAC-SHA1. HMAC does NOT rely on collision resistance (this has actually been formally proven), and is thus not affected by this problem at all. HMAC-SHA1 is still considered secure.

The slot based challenge-response credentials use HMAC-SHA1, and we have no plans on changing this. However, the OATH applet available on the YubiKey NEO as well as YubiKey 4 provides HMAC-SHA256 in addition to HMAC-SHA1 (the YubiKey 4 even supports HMAC-SHA512 as well), but this applet needs to be invoked in a different way compared to the standard slots. For more information on that, go here: https://developers.yubico.com/ykneo-oath/Protocol.html


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 22, 2016 11:50 pm 
Offline

Joined: Fri Jan 08, 2016 10:10 pm
Posts: 3
Thanks for the reply, dain. Your argument that HMAC-SHA1 is still secure makes sense and I am comfortable with that.

Can the Yubikey 4 really do plain HMAC-SHA256? It seems that ykneo-oath would insist on including an incrementing counter in the hash. If you're curious, I'm exploring the use of deterministic password generation for website logins: HMAC(domain-name, seed-stored-in-yubikey).


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 29, 2016 3:18 am 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
Yes, you can do this with the YubiKey 4 or NEO. You have to store the key as a TOTP credential, which does not have a counter. Instead TOTP uses the current time as the challenge, which is passed to the YubiKey from the host PC. To do "plain" HMAC-SHA256 you would use the CALCULATE command, pass in your challenge, and specify that you want the full (non-truncated) response.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group