Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:10 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 48 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Tue Mar 10, 2009 1:48 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
Dain,

Thanks for the quick response.

Am I correct that when you get the request for password you submit my OTP for authentication through the Yubico server before returning the password?

Dick

Edit: Sorry to bother you. I found the answer in the Wiki. Should have looked first.


Last edited by Dick on Tue Mar 10, 2009 9:07 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Mar 10, 2009 8:29 am 
Offline

Joined: Sat Sep 20, 2008 10:17 am
Posts: 20
dain wrote:
Iipee, I've always shown the passwords on the list password site, though if you have JavaScript enabled, they are only in clear text if you hover over them with your cursor. The reason for this is that it really doesn't add any security not doing so. The whole idea with KeyGenius is that only you have access to your YubiKey, and if you were to lose it, you use the revocation code to destroy all stored data as soon as possible. If someone gets a hold of your YubiKey, then they can obviously use it to access your passwords, very easily. The simplest probably by going to the site they want the password for and using KeyGenius to populate the form but not submit it. Then they could just use any DOM inspection tool, Firebug for instance, to look at the contents of the input field. This is unavoidable, and is inherent in all password management programs and services. Even if you make sure the form submits automatically as soon as the password has been entered, and SSL is used, then if the hacker has control of the box, he could use some other plug-in to get the request data.


I undestand that this is how it works. Could you consider a future option to be able to use two-factor? Like you can setup revocation code, you could set passphrase. It would work like this:

1) When setting passphrase (first time or resetting it to another phrase) it loads all previous data stored and re-encrypt that including also passphrase in crypto (adding one more layer to backend security)
2) When using Keygenius, backend checks for session key. If it's not set, your backend want's to get your passphrase and if it's priovided it returns random BLAABLAA as a session key that keygenius clientcode stores into memory.

Passphrase wouldn't be stored into your system at all. It's just used in encryption/decryption. For example, listing sites would also ask passphrase + OTP. It should be possible to leave passphrase empty if you don't want extra layer of security.

How to provide passphrase? Two ideas:
1) give a popup when it's needed. Problem: It's difficult to give popup with password-entry field that doesn't show typed characters

2) Passphrase is written into the passwordfield before you press Yubikey. If it's missing and hasn't been already stored for that session, popup is shown that says "Please enter your passphrase in front of password field and press your Yubikey".

I would prefer 2nd idea.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 17, 2009 10:45 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
I've made some updates to KeyGenius!

In the backend: Domain name checks are now done for the longest matching domain name "path". For instance, say you have a password stored for facebook.com, but you are logging in to login.facebook.com. If you have a password stored for login.facebook.com, then it is returned as normal, but if you don't, then everything up to and including the first dot is removed, and the url is tried again (facebook.com), until only one dot remains, in which case the lookup fails. This should solve a lot of problems with redundant passwords being stored for each subdomain that uses the same login, but still allows different passwords if needed. Note that the whole domain (except for www, if present) is used when storing passwords using the + or +++ prefix, so the easiest way to store a password for a higher level domain is by using the site management page.

In the plugin:
I rewrote a lot of the plugin to better coexist with existing javascript on pages. When possible, KeyGenius now clones each password field and displays the clone instead of the original. Once a password is returned from KeyGenius, it is entered into the original hidden field, and on submit, the clone is destroyed. In some cases the old method of adding event listeners to existing elements is used, namely when the original input is determined to be invisible.

For instance, facebook has a password-field that it hides on pageload, displaying another field instead. Once you focus that field, it is hidden and the password field is shown. If KeyGenius were to clone the invisible password field it would remain invisible, and thus it wouldn't work.


If the update causes any strange behaviour to occur with any sites that were previously working, please let me know!


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 19, 2009 4:26 pm 
Offline

Joined: Sat Sep 20, 2008 10:17 am
Posts: 20
dain wrote:
I've made some updates to KeyGenius!

Cool changes! I'll let you know if those fixed my earlier problems. And congralutaions for your win! Like I said, you already got my vote, I'm glad you got also jurys vote ;-)

And please consider my idea of adding possibility to use passphrase to really nail it!


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 21, 2009 3:31 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
Thanks! I'll concider allowing an optional passphrase for added security. If I do implement this I think it would be used completly locally


EDIT: That's strange, it seems most of my message got cut off.
Anyway, what I wrote was that I would probably optionally encrypt and decrypt locally in the browser, requiring you to enter the extra passphrase each time you want to access the password. The pros of this is that you never submit your actual password anywhere but to the site where you are using it. The cons are that the plugin would grow a bit in complexity to allow this new functionality, and would have to include an encryption algorithm.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 16, 2009 5:09 am 
Offline

Joined: Thu Apr 16, 2009 3:03 am
Posts: 5
Hi, Dain

Firstly, KeyGenius is a genius idea! Love it.

I too am awaiting eagerly for open source release of the back end. I am willing to help in documenting/cleaning the code if you don't have time. What are the requirements to install the backend? What language is the code in?


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 16, 2009 9:06 am 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
Hi Hacho!

The open source backend is almost ready, http://kg.yubico.com is currently using the rewrite I'm doing, so it's fully functional. It is running on a basic LAMP stack (Linux, Apache, MySQL, PHP), using the Symfony web framework which is written in PHP. To run the KeyGenius backend yourself you will need PHP5 and a database supported by Symfony. I doubt I'll have time to get the code up before the RSA conference next week, but I expect to have it available shortly after that.


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 28, 2009 9:36 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
The backend source is now available for download!
There isn't much documentation available for now, but you can download the code and run it yourself. It is available at:
http://code.google.com/p/keygenius/
You will need to use SVN to get the code.

Please post any quertions you have about it, or any feedback you wish to give.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 08, 2009 11:01 pm 
Offline

Joined: Fri May 08, 2009 10:45 pm
Posts: 1
I'm rather curious about keygeni.us (AppEngine) in comparison to kg.yubico.com. Are you using python for this? Or java? Or one of the many languages that runs on top of java? I'm guessing that the backend there is not php. If it's ruby or python, I would love to see the source code as every now and then I find time to scratch an itch or two.

Kindest Regards,
tim ^,^


Top
 Profile  
Reply with quote  
PostPosted: Mon May 11, 2009 10:05 am 
Offline

Joined: Thu May 07, 2009 1:21 pm
Posts: 3
Does anybody have this working with Chrome and greasemetal? For me it captures passwords, but I have not successfully used it to log on. What is the best way to debug?
--
John Cooper


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 48 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group