Yubico Forum :: View topic - Protection of OATH-TOTP/HOTP Secrets

Hello, I've been lurking around the forum for a while and am just starting to seriously integrate a Yubikey 4 into my life.

My question: The Yubikey 4 states that (with the help of the Authenticator app) it can store up to 32 OATH-TOTP credentials. The NEOs can store up to 28. The language implies that there is a hardware security component to the storing/securing of the OATH secrets. Is that the case? Are there any resources or description of how these secrets are secured. I especially want to know that the secrets aren't stored on the host computer.

Appreciate it!

Author:	webmonarch [ Tue Aug 16, 2016 9:21 pm ]
Post subject:	Protection of OATH-TOTP/HOTP Secrets
Hello, I've been lurking around the forum for a while and am just starting to seriously integrate a Yubikey 4 into my life. My question: The Yubikey 4 states that (with the help of the Authenticator app) it can store up to 32 OATH-TOTP credentials. The NEOs can store up to 28. The language implies that there is a hardware security component to the storing/securing of the OATH secrets. Is that the case? Are there any resources or description of how these secrets are secured. I especially want to know that the secrets aren't stored on the host computer. Appreciate it!

Author:	SporkWitch [ Sat Sep 03, 2016 3:58 am ]
Post subject:	Re: Protection of OATH-TOTP/HOTP Secrets
webmonarch wrote: Hello, I've been lurking around the forum for a while and am just starting to seriously integrate a Yubikey 4 into my life. My question: The Yubikey 4 states that (with the help of the Authenticator app) it can store up to 32 OATH-TOTP credentials. The NEOs can store up to 28. The language implies that there is a hardware security component to the storing/securing of the OATH secrets. Is that the case? Are there any resources or description of how these secrets are secured. I especially want to know that the secrets aren't stored on the host computer. Appreciate it! They're (should be) stored in a secure element on the token itself (as are PGP keys, x509 cert/key combos, and all other secrets). In theory, it is physically impossible extract the secrets from the secure element without a not-so-small fortune and destructive methods (we're talking government lab, and then there's still no guarantee). No, they're not being stored on the host machine. I'm finding it remarkably difficult to find a good explanation of how it does this, and so unfortunately I just have to say it's a simple device that only has a handful of instructions, none of which include output of the key. It checks a pin, it lets you replace existing keys in pre-defined "slots," it will perform specific and predefined mathematical operations on input combined with the key, and output the result. This solid state device does not actually have the instructions or capability to output the key itself, and obtaining what's stored in it otherwise would be difficult, costly, and destructive, with a low chance for success (and you have no way to make a copy to play with, either, like you can with even an encrypted HDD or SSD).

Yubico Forum https://forum.yubico.com/

Protection of OATH-TOTP/HOTP Secrets https://forum.yubico.com/viewtopic.php?f=26&t=2396	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/