Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:54 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Wed Jan 09, 2013 4:09 pm 
Offline

Joined: Wed Jan 09, 2013 4:03 pm
Posts: 1
Hello,

If one is uploading material via https://upload.yubico.com/, can you overwrite the AES key etc for someone else's Yubikey if you know their public identity? If an attacker had a keylogger or something (or was able to physically steal the Yubikey for a moment to cause it to emit an OTP) and could get the public identity, could they not minimally cause a denial of service against the victim's Yubikey by overwriting their private identity and secret key?

many thanks,
alec


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jan 16, 2013 10:18 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello alecw,

Thank you for your question.

First let me define that we are talking about VV keys only. We do not allow users to change their Yubikey pre-configured keys (you cannot have a CC key with a different AES keys then the one is shipped with).

Now, in the domain of VV keys, what you are suggesting does not work because there can be associated only one AES key with a public identity (1 to 1 binding). Therefore when you upload a new AES key (NK) and you tell the system to associate it with a certain public_id (PID), the system will first check if that PID exists. If it exists it means that you cannot change the associated key (K) and therefore you will get an error message " this public_id already exists". Thus you will be unable to push the NK and replace the old K.

There is a catch though... while double checking before providing you with an answer, we found a bug. This bug, under certain condition may allow you to overwrite an existing AES key of the VV domain, causing a denial of service.

Therefore, thank you very much for your post and rest assured that we are going to fix this as soon as possible.

Regards,
Tom.

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group