Yubico Forum :: View topic - TrueCrypt Auto Mount

OK, so you set a static passcode, and anyone and their uncle can launch it since this doesn't actually scan for a certain fingerprint.

How is this not a security issue?

Because if you first enter a strong password you know by heart and then press the yubikey you have effectively created a two part authentication, something you know and something you have

Quote:

Because if you first enter a strong password you know by heart and then press the yubikey you have effectively created a two part authentication, something you know and something you have

This is not true multi-factor authentication: "something the user knows" and "something the user has." If the system is compromised (keylogger) the infiltrator now knows the entire sequence and can access the encrypted drive without the Yubikey present.

We have successfully made the password more difficult to brute force (likely scenario) and/or if the Yubikey is destroyed one cannot be forced to enter the password (unlikely scenario.) If only we could protect from keyloggers, which I believe is the most likely scenario.

If you are using system level Truecrypt encryption of the whole of the hard disk, I don't think there is any mechanism for a keylogger to be active at that point, mainly because you have only just jumped from the BIOS into the password prompt issued by the Truecrypt Boot Loader.

Author:	Eric Vogel [ Fri Oct 08, 2010 3:10 am ]
Post subject:	TrueCrypt Auto Mount
Do I miss understand automount? I create a file container, use Yubikey. I can mount it find but auto-mount devices it says wrong password or no volume found. How do I get prompted on login to put Yubikey when I login? Also, how do I set the static password for Yubikey? I might wanna have a second one to keep off my keys around the house and the other on my keychain. Thank you, Eric Vogel

Author:	modelrockettier [ Fri Jan 28, 2011 2:34 am ]
Post subject:	Re: TrueCrypt Auto Mount
unfortunately, Truecrypt does not support the Yubikey right now (unless you are using a static password, in which case almost everything supports it). If you download the Yubikey configuration tool, you can easily set a static password into its second slot

Author:	Jafo_Jeeper [ Sat Feb 05, 2011 5:34 am ]
Post subject:	Re: TrueCrypt Auto Mount
OK, so you set a static passcode, and anyone and their uncle can launch it since this doesn't actually scan for a certain fingerprint. How is this not a security issue?

Author:	andlil [ Sat Feb 05, 2011 9:47 am ]
Post subject:	Re: TrueCrypt Auto Mount
Jafo_Jeeper wrote: OK, so you set a static passcode, and anyone and their uncle can launch it since this doesn't actually scan for a certain fingerprint. How is this not a security issue? Because if you first enter a strong password you know by heart and then press the yubikey you have effectively created a two part authentication, something you know and something you have //A

Author:	Jafo_Jeeper [ Wed Aug 31, 2011 6:19 pm ]
Post subject:	Re: TrueCrypt Auto Mount
Thought I'd already replied to this- Thanks for setting off the lightbulb in my head. LOVE this thing!

Yubico Forum https://forum.yubico.com/

TrueCrypt Auto Mount https://forum.yubico.com/viewtopic.php?f=4&t=576	Page 1 of 1

Author:	melcron [ Sun Apr 22, 2012 8:41 pm ]
Post subject:	Re: TrueCrypt Auto Mount
Quote: Because if you first enter a strong password you know by heart and then press the yubikey you have effectively created a two part authentication, something you know and something you have This is not true multi-factor authentication: "something the user knows" and "something the user has." If the system is compromised (keylogger) the infiltrator now knows the entire sequence and can access the encrypted drive without the Yubikey present. We have successfully made the password more difficult to brute force (likely scenario) and/or if the Yubikey is destroyed one cannot be forced to enter the password (unlikely scenario.) If only we could protect from keyloggers, which I believe is the most likely scenario.

Author:	zardoz [ Sun Apr 22, 2012 9:35 pm ]
Post subject:	Re: TrueCrypt Auto Mount
melcron wrote: Quote: Because if you first enter a strong password you know by heart and then press the yubikey you have effectively created a two part authentication, something you know and something you have This is not true multi-factor authentication: "something the user knows" and "something the user has." If the system is compromised (keylogger) the infiltrator now knows the entire sequence and can access the encrypted drive without the Yubikey present. We have successfully made the password more difficult to brute force (likely scenario) and/or if the Yubikey is destroyed one cannot be forced to enter the password (unlikely scenario.) If only we could protect from keyloggers, which I believe is the most likely scenario. If you are using system level Truecrypt encryption of the whole of the hard disk, I don't think there is any mechanism for a keylogger to be active at that point, mainly because you have only just jumped from the BIOS into the password prompt issued by the Truecrypt Boot Loader. Z.

Author:	melcron [ Mon Apr 23, 2012 9:49 am ]
Post subject:	Re: TrueCrypt Auto Mount
Quote: If you are using system level Truecrypt encryption of the whole of the hard disk, I don't think there is any mechanism for a keylogger to be active at that point, mainly because you have only just jumped from the BIOS into the password prompt issued by the Truecrypt Boot Loader. As the OP mentioned the use of auto-mount I assumed he was not using whole disk encryption. There are cases in which a user wants to encrypt a partition or file container separate from their operating system, that way the computer is functional while more private data is stored safely away. Although for my laptop a yubikey with a static password and full disk encryption would be great... and this thread prompted me to read more about the issue and realize that the performance impact isn't as dramatic as I thought.

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/