We've got a variety of question regarding potential issues arising from the fact that the Yubikeys can be reconfigured via the USB interface.
Question type 1: Can that interface be used to read out information about the key ?
Answer: No configuration data can be read out via the USB interface. All configuration data is "write-only".
Question type 2: What protects my business if someone else "hijacks" a Yubikey and reprograms it for a different purpose to be used for somewhere else ? Question type 3: Given that the interface is known, what if someone just for fun decides to kill or rewrite all Yubikeys with garbage when they're seen ?
Answer: There is a write protection mechanism in the key - or more precisely, a configuration change lock "password", comprised of a 6 byte configuration access code. If this lock is set, all write requests must have the correct access code appended. There is an additional software delay added to address exhaustive search attempts. Given a 6 byte space, trying an average of 2^47 codes (approx 10^14 codes) is thereby slowed down to take about 10^13 seconds, which corresponds to approx 450,000 years.
Question type 4: Are the Yubikeys sent out protected ?
Answer: No. We decided to keep the lock disabled to allow developers to reprogram them without asking for the configuration access code. We will probably add such a feature to the server later on when we also will provide a self-service access to the AES key.
Question type 5: If someone changes a property in a depolyed Yubikey, cannot that compromise the security of that particular device ?
Answer: No partial changes are allowed. Any change will rewrite everything, including the AES key.
Question type 6: Can the usage counter be reset via the USB interface ?
Answer: Rewriting all of the configuration data is the only way reset the usage counter
Regards,
JakobE Hardware- and firmware guy @ Yubico
|