Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:47 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Dec 07, 2010 11:03 pm 
Offline

Joined: Tue Dec 07, 2010 10:50 pm
Posts: 1
If you use the Identity Prefix to lookup the AES key for decryption, I'm not understanding what purpose the Secret Identifier serves. The spec says to use all zeroes if one is not needed, but can someone give me an example of when I might want to use one?

I understand that the "session counter" in combination with the "session use" is used to determine replay attacks. Why are these fields not combined into one non-volatile counter that goes up with each use. Wouldn't that serve the same purpose?

About the time stamp: Is it only really used when accepting 2 OTPs, one after the other during the same session. I've read articles online that say it guards against phishing attacks, but how?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Aug 06, 2011 2:47 am 
Offline

Joined: Wed Aug 03, 2011 10:01 am
Posts: 1
With regards to the timestamps. I don't think they provide any extra security.
They are there to protect against Phishing (where someone grabs your key and generates a number of OTP which he can use later).
In the case of Yubico keys, these stolen OTP will be valid until a new OTP comes along with a higher session counter.
In their documentation Yubico mentions that to increase security you can ask for 2 OTPs and use the timestamp to ensure they were generated within a given time period. But the attacker is likely to have grabbed more than one OTP.
The server could vary the delay from the first OTP to the request of the second OTP but for practical reasons that can't be very long and once you factor in the 10s grace period (for network delays) this random delay is likely less than the time the attacker had to collect OTPs.

If the above is correct I don't see the point why you would ever validate timestamps.

Could someone at Yubico confirm my assumptions or let me know if they are incorrect?

Regards,
Hani


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group