Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:49 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sat Jun 14, 2008 12:17 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
We've got a variety of question regarding potential issues arising from the fact that the Yubikeys can be reconfigured via the USB interface.

Question type 1: Can that interface be used to read out information about the key ?

Answer: No configuration data can be read out via the USB interface. All configuration data is "write-only".


Question type 2: What protects my business if someone else "hijacks" a Yubikey and reprograms it for a different purpose to be used for somewhere else ?
Question type 3: Given that the interface is known, what if someone just for fun decides to kill or rewrite all Yubikeys with garbage when they're seen ?

Answer: There is a write protection mechanism in the key - or more precisely, a configuration change lock "password", comprised of a 6 byte configuration access code. If this lock is set, all write requests must have the correct access code appended. There is an additional software delay added to address exhaustive search attempts. Given a 6 byte space, trying an average of 2^47 codes (approx 10^14 codes) is thereby slowed down to take about 10^13 seconds, which corresponds to approx 450,000 years.


Question type 4: Are the Yubikeys sent out protected ?

Answer: No. We decided to keep the lock disabled to allow developers to reprogram them without asking for the configuration access code. We will probably add such a feature to the server later on when we also will provide a self-service access to the AES key.


Question type 5: If someone changes a property in a depolyed Yubikey, cannot that compromise the security of that particular device ?

Answer: No partial changes are allowed. Any change will rewrite everything, including the AES key.


Question type 6: Can the usage counter be reset via the USB interface ?

Answer: Rewriting all of the configuration data is the only way reset the usage counter


Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group