Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: TrueCrypt and my Yubikey
PostPosted: Mon Dec 29, 2008 7:17 pm 
Offline

Joined: Mon Dec 29, 2008 6:59 pm
Posts: 2
I understand some Yubikeys can be re-programmed to store a line of charictors but now TrueCrypt can support a pcks#11 library. I don't really understand what this means, but can this now support a regular Yubikey, by downloading a .dll file?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 31, 2008 12:43 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thank you for your question about Yubikey and TrueCrypt and the second part of the question regarding the use of PKCS#11 support in TrueCrypt.

As you mentioned in your question you can use the Yubico personalization tool to configure your Yubikey to produce a fixed (randomized at the time of creation) password which you can use with TrueCrypt. Just remember that since Yubikey has only one button, once it is set up for fixed PW, then the fixed PW functionality replaces the OTP (One Time PW) functionality for that particular Yubikey. When TrueCrypt asks for the PW you simply point the cursor to the PW field and press the button on the Yubikey and the fixed password will be sent from the Yubikey and entered right into the PW field.

PKCS#11 is a standard and protocol stack commonly used by Smart Cards and PKI (Public Key Infrastructure). However, using PKCS11 requires a different set of infrastructure (more complex) compared to Yubikey. PKCS11 also requires drivers for each Smart Card reader that shall be used to work in preboot mode with TrueCrypt i.e. before the normal operating system is started. There are only very few drivers available to work in preboot mode so this is an issue when using PKCS#11 with TrueCrypt.

Yubikey on the other hand will work fine in preboot mode without drivers or any specific protocol stack installed The reason is that Yubikey emulates and looks like a USB keyboard to the BIOS (the system that starts your computer at boot time) so if your BIOS supports USB keyboards (most modern computers do today), then when you press the button on the Yubikey a string of characters (the Password) will be sent to the computer keyboard buffer in the same way as if you were inputting the characters manually from the regular keyboard. When TrueCrypt ask for the PW you simply point the cursor to the PW field and press the button on the Yubikey and the fixed password will be sent from the Yubikey and entered right into the PW field.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 31, 2008 2:54 pm 
Offline

Joined: Mon Dec 29, 2008 6:59 pm
Posts: 2
If the goal was to use a conventional Yubikey to secure a file, could it work like this?
Could a .dll be written to:
capture the Yubikey string,
secure a connection to a server,
that could verify the authenticity,
and return the result.
Then this .dll be used in TrueCrypt to allow or deny data access.

I understand the PKCS#11 uses card readers and drivers and returns a different kind of result.
But we don't need card readers, so we won't need drivers.
Also we would need a server to return the result, I don't know if Yubico or Verisign could provide this.
Unless the PKCS#11 protocol dosn't have the ability to set up a secure connection.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 05, 2009 6:49 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Main features of TrueCrypt Disk encryption software are:

    1) Encrypts a partition or drive where Windows is installed (pre-boot authentication)
    2) Creates a virtual encrypted disk within a file and mounts it as a real disk
    3) Encrypts an entire partition or storage device such as USB flash drive or hard drive

For Pre-boot authentication, conventional YubiKey (emitting OTP) can not be used because, in pre-boot environment, the network service will not be available and hence it wouldn’t be possible to send the OTP for validation to the Yubico Validation Server over network. However, a YubiKey programmed (using Yubico personalization tool) to emit a fixed (randomized at the time of creation) password can be used with TrueCrypt pre-boot authentication.

For the second TrueCrypt feature, a conventional YubiKey can be potentially used, provided that the virtual encrypted volume is mounted upon user request after completion of the boot process and network connectivity is available. In this case, a DLL could be provided to authenticate the YubiKey OTP with Yubico Validation Server over network.

Similarly, for the third TrueCrypt feature, a conventional YubiKey can be potentially used provided that the hard disk or USB flash drive is mounted upon user request after completion of boot process and not automatically during the boot process.

Yubico is welcoming development of YubiKey enabled post-boot authentication for TrueCrypt. If you or someone reading this post is contemplating development of such a module, please let Yubico know about it in order to provide some technical help!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group