Yubico Forum :: View topic - Rohos Logon. Windows Login with YubiKey

Simon wrote:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon

1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...

I agree that its more secure since the OTP goto server to expire immideately.

2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.

Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?

Author:	caitsith6502 [ Wed Aug 20, 2008 8:02 am ]
Post subject:	Re: Rohos Logon. Windows Login with YubiKey
Impersonation is not the only issue with a compromised AES key. The other issue is Denial of Service. They do this by forcibly advancing the counter to the max, and authenticating with that token. Once that happens, the Yubikey is effectively bricked as far as further online use goes.

Author:	Rohos [ Tue Aug 26, 2008 10:26 am ]
Post subject:	Re: Rohos Logon. Windows Login with YubiKey
Simon wrote: 1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com). 2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely. What do you think? Thanks, Simon 1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment. I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services). Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait... I agree that its more secure since the OTP goto server to expire immideately. 2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree. Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?

Author:	Simon [ Tue Sep 02, 2008 10:40 am ]
Post subject:	Re: Rohos Logon. Windows Login with YubiKey
Rohos wrote: Simon wrote: 1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com). 2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely. What do you think? Thanks, Simon 1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment. I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services). Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait... I agree that its more secure since the OTP goto server to expire immideately. 2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree. Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server? The API would be the same as for verifying an OTP: if you send any OTP to our server (even if you used to authenticate locally) it will be expired globally. However, it is problematic to have two servers generally, so I would recommend that offline verification is always used against an AES key that isn't known to our server. You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it. Then it is only usable for Windows login, but that is the tradeoff. /Simon

Author:	ferrix [ Tue Sep 02, 2008 6:29 pm ]
Post subject:	Re: Rohos Logon. Windows Login with YubiKey
Simon wrote: You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it. It's a nice idea Simon, but for us windows programmers.. the personalization COM app doesn't work in Vista and there's no source code released for it. (I'll just keep posting about it until someone at yubico finally answers

Yubico Forum https://forum.yubico.com/

Rohos Logon. Windows Login with YubiKey https://forum.yubico.com/viewtopic.php?f=8&t=155	Page 2 of 2

Page 2 of 2	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/