Yubico Forum

Hello,

I'm very interested about the NEO Yubikey, but as I was browsing your site for info, I noticed it uses a MIFARE Classic chip. As I understand, MIFARE Classic has some serious security issues (for example: http://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Classic.2C_DESfire_and_Ultralight). What is Yubicos opinion on this? Do you feel the Classic is sufficient to use as a security device and/or are you planning to replace it with a newer chip in the future?

They knew it was insecure, but made a decision to use it anyway because of how prevalently used it is.

viewtopic.php?f=16&t=510#p2143

I think they do make a valid point that it still is more secure than others that pass a static ID.

Thanks for the link, I hadn't noticed it since it's not here on the NEO forum. I can see why they would do that (business decision), although that doesn't exactly comfort me that much (btw that post was three years ago. Shouldn't we be close to "eventually" by now..? )

Seriously though, I'm not an expert with these thing: what kind of attack scenarios does the broken algorithm (in theory) make possible? If someone scans the NEO, can he copy it? Can he get the key?

Another thing I thought was how easy it would be to scan someones NEO without them noticing it (just swipe the scanner over their keys) and getting one valid OTP that way. Or does the user need to press the button on Yubikey for it to emit an NFC signal/OTP?

PS. The link you posted talks about Yubikey RFID. Is it the same product as the NEO which uses NFC?

Yes - we're more than aware that the Mifare Classic crypto has been broken for quite some time. Worth mentioning here is that the Mifare Classic support is optional in the NEO and is not linked to the normal NEO NFC operation, where this differs from the RFID Yubikey.

The NEO has the optional capability to emulate a Mifare Classic tag. This is just to join force with the hundreds of millions of Mifare tags that are out there and support the legacy of Mifare Classic. Although broken as such, it is far better than most prox systems that have no security at all.

With this said, the NEO supports the proprietary Mifare Classic ISO14443-3 protocol, but the Yubikey- and NEO applets are accessed through the ISO14443-4 mechanism. Therefore, from a Yubikey perspective, the defectiveness of the Mifare CRYPTO1 does not affect the NEO as such. Anyone who cannot accept the Mifare Classic limitations does not have to use it - it does not provide a back-door to the inner secrets of the NEO, only the Mifare credentials, if set.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

I forgot the other questions posted here:

a) The RFID Yubikey is to become discontinued as it is replaced with the NEO for customers who want similar functionality.

b) Remote scanning of a NEO. The NEO antenna is very small, given the size of the Yubikey. This effectively limits the reading range to a few centimeters, i.e. 1-2 inches. Even with a very powerful reader, to power the NEO from distance (say a few decimeters, i.e. 1 ft, or more) would be very difficult, if not impossible as the magnetic flux drops by the distance cubed - double the distance and the power is cut by a factor of 8, multiply by 10 (30-50 cm, or around 1 ft) and the power drops by a factor of 1000. Even worse would be to receive the "backscattering", i.e. the way the NEO sends back data to the reader. The aperture size of the NEO antenna is simply too small to make long-range detection feasible.

Bottom line: The NEO is by all practical means a close proximity solution, with a practical reading range of 2-5 cm or 1-2 inches. Multiplying this distance by a factor of more than 5 or is not practical to do.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

It really goes to show that security isn't as simple as "is it secure." So basically, there is an issue with MIFARE Classic, but in reality, the real world ramifications of the issue as implemented by the NEO make it more hypothetical than anything, especially with the required extreme lack of distance.

Thank you for the interesting answers, some of it is more than I can get my head around

I still think it would be much easier to get an OTP from the NEO than regular Yubikey without the user noticing anything - you only need to sit/stand next to them in a busy train if they have their keys and Yubikey in their pocket for example. For this reason it would be good if the NEO wouldn't work unless the user actually wants it to, ie. press the button. Not sure if that's possible technically.

Still going to order one though

It might be partially the device, but at least on my Blackberry, it's not enough that the Yubikey is physically touching the right spot, I actually have to press in a bit. The required range is extremely short.

I'm not sure the initiator provides that much power to be able to use the button. I just don't think it's a real world scenario.