Yubico Forum

Hi,

what kind of proof can you give the users that this product is not spoiled with NSA or GCHQ backdoors or other crap?
I mean you produce in the USA or in Sweden and there seem to be clearly a high possibility that either the goverments or the laws of the goverments enforce you to integrate backdoors.

What I don't get is why do you avoid that the firmware is readable or re-flashable from the device. Having an open source toolchain together with a PGP public key to confirm that what's on the stick is really backdoor clean should have been implemented.

What kind of actions do you do to avoid beeing forced by goverments to integrate backdoors?

What kind of checks are available for the user to check that this product is NSA free hardware?

The way the OTP works there is no logical way a device compromise would work. The server implementing the login would be the only viable point of entry for a government agency.
The way the static password works, there is no communication outside of the HID interface so no way to exploit a compromise any way.
Any off the apps can be tested using other applications to verify that the signing results work as expected. (PGP and other tokens)

The reason the firmware isn't readable or re-flashable is because that interface is closed off entirely. This is the only reason it isn't vulnerable to infection by malware (government or otherwise), do some research on 'Bad USB' for similar issue that every USB flash drive is vulnerable to because the firmware CAN be updated. If anything this is a great security feature because malware can not be loaded by intercepting packages.

Biggest checks are that all of the apps as well as the static password can be verified with other application to verify the results. For most of them a third party app dose the actual security. The yubikey is just the credential.

The main issue with using a device like this for securing data against law enforcement is that in most jurisdictions they would not require a seperate warrant to use any yubikeys that are seized when executing a warrant or are on your person if you are arrested.

For more information you might want to check out Security Now Episode 143 http://twit.tv/show/security-now/143 they go a lot into the actual technology. Its the older device so the apps were not a part at the time.

If there are any specific features of the device you would like more help understanding how you can verify using external applications I would be happy to point you in the direction of specific resources.

Well, what about this device having something in the firmware which doesn't show up as keyboard but sometimes as something different. Like an integrated virus or malware. The fact is that once a device is hooked up to an usb port it can do everything. As the firmware is not readable I have no proof that the device itself doesn't contain a trojan horse, which activates on demand.

I know security now very well and if you listen to those guys as well you probably heard of their TNO policy.
So if we can't verify what's on the device or have no way to check it for backdoors the claimed security is useless.

So if the device would for instance present it's secret keys on demand per secret command, or if it would compromise the attached computer as it's usb functionality is different as the standard keyboard functionality this would be a problem.

Also how can I proof that the device was not swapped during the shipping with a compromised one?!?

Don't get me wrong but news proofed to me that american products are not trustworthy anymore. Especially the government with their unacceptable spying behavior did a lot of damage to the us foreign customer business.

Despite that I still like the idea I think your product has the mentioned problems. If there is no transparency what's inside the device it'll be a product that might be good for securing the day to day online web shopping business but won't be good for securing company or government business interests.

1. It's not possible to prove a negative.
2. All of the above concerns also apply to a CPU, board chipset/bios, SSD chipset/firmware, etc. If you think you might be targeted, buy things at a store with cash. Or have someone else buy them for you? Otherwise...take a break from tech because unless you're a nation-state, it's prohibitively expensive to prove 99% lack of tampering. And impossible to prove 100% (see #1).
3. Yubico manufactures only some of the keys in the US. I believe other keys are manufactured in Sweden or Germany. I think the reasoning is for US/Euro gov't certification/concerns...but it could be for other cost/distribution reasons.

Three things help:

1. Yubico decided to lock down the javacard applet programming capability such that the keys aren't field re-programmable.
2. The U2F capability requires a proof-of-manufacturer signifier (at the batch level). Every xxx keys from Yubico share a certain bit of information that shouldn't be easily forged. That might be one way to validate it's a yubico-programmed key.
3. Except for the serial # and the U2F batch number, all of the keys on the unit can be cleared/reset by the user.

B