Yubico Forum

So I am confused about one thing and I want to make sure the yubikey is as secure as I think it is. My understanding is that the yubikey uses public key encryption, which means it stores a private key and uses that to encrypt information into the password which is then verified by decoding with the public key. So, is that an accurate description of how the yubikey works and if so does yubico store the private key? I don't see a reason why yubico would or should store the private key as they only need the public key to authenticate. If Yubico does store the private key, that means my authentication token can be compromised by someone gaining access to the private key through Yubico. I understand there is a way to change the key, but then it no longer works with clavid, etc...

Hello,

I can understand your confusion. Let's see if I can clear it up a little.

The Yubikey uses the AES cipher algorithm for encryption and decryption. AES is a symmetric algorithm, meaning it works with a secret (and possibly shared) key, not a private/public key pair.

You are correct that the string being output by the Yubikey is an encrypted blob of data, which is decrypted by the validation server "on the other end" so it can validate properly. This means that the AES key is shared between the Yubikey and the validation server, just as you guessed.

When it comes to the security of the system, you are right. All keys in a shared key system (same key in the server as is in the token) must be kept secret. We are using best practices to protect the keys from being compromised but in the theoretical case a key would be exposed someone could program a copy and masquerade as the real key holder. However, this is not different from most shared key systems today including RSA, SafeWord, Wasco and others. This risk is still considered acceptable to most enterprises and compared to using regular PWs Yubikey represents a big increase in security.

Am I correct in thinking that Yubico keeps a copy of the shared key? I think I read that somewhere. If that is the case I can see where certain organizations would have concerns of Yubico (or any outside entity) having access to the shared keys. Any thoughts on work arounds to alleviate this concern?

As I understand it, Yubico keeps a copy of the key so that its server can authenticate the key. If a company wants to run its owns authentication server, then it can reprogram the Yubikey so that only it knows the key.

I'm sure that if my understanding is incorrect, someone will post a clarification.

Dick

Dick is correct in mentioning that Yubico keeps a copy of the AES key so that the live validation server (http://api.yubico.com) can authenticate the key.

If the organization doesn’t want to share the ASE keys with the Yubico, it has an option of deploying its own validation server.

The organization can use the personalization tool to change the YubiKey ID and the YubiKey AES key of the Key.

For more information, please refer to the following links:

http://www.yubico.com/developers/srv/

http://www.yubico.com/developers/personalization/

Feel free to write back to us in case you face any problems.

Thanks for the quick answers. We only just received our test yubikeys so we're still figuring out everything we can do with it.