| Yubico Forum https://forum.yubico.com/ |
|
| HUGE security vulnerability with Yubikey? https://forum.yubico.com/viewtopic.php?f=16&t=633 |
Page 1 of 1 |
| Author: | Jafo_Jeeper [ Sat Feb 05, 2011 1:41 am ] |
| Post subject: | HUGE security vulnerability with Yubikey? |
OK, I am brand-new to Yubikey... I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on... However, I am seeing that is apparently not correct. So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then. Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive. |
|
| Author: | andlil [ Sat Feb 05, 2011 9:44 am ] |
| Post subject: | Re: HUGE security vulnerability with Yubikey? |
Jafo_Jeeper wrote: OK, I am brand-new to Yubikey... I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on... However, I am seeing that is apparently not correct. So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then. Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive. It is not a security issue because nowhere does it say that it scans your fingerprint. It is meant to be used together with a username and a password i.e. something you know and something you have. You better read up on security engineering... //A |
|
| Author: | Jafo_Jeeper [ Sat Feb 05, 2011 4:55 pm ] |
| Post subject: | Re: HUGE security vulnerability with Yubikey? |
I know security engineering, thank you very much... not all of it, but none of us know everything. Here's the thing- with Truecrypt, to use the Yubikey as the pass to an encrypted volume, it can store and submit a 64-digit static password. That static password is, hello, static. There is nothing else required to decrypt the system partition in the case of an encrypted system partition- no username, other password, nothing. therefore, anyone that can lay hands on that yubikey and insert it in the USB slot on that machine can decrypt the volume. |
|
| Author: | ferrix [ Sat Feb 05, 2011 5:14 pm ] |
| Post subject: | Re: HUGE security vulnerability with Yubikey? |
To add a cheap second factor in cases like truecrypt that need a static password, there is a very easy way. Type in a PIN code first before tapping the yubikey. Now each part (PIN, yubikey) is useless without the other, because the real truecrypt password is a combination of them. |
|
| Author: | Jafo_Jeeper [ Sat Feb 05, 2011 7:06 pm ] |
| Post subject: | Re: HUGE security vulnerability with Yubikey? |
Excellent idea, why didn't I think of this- we do it at work with our Verisign keys. Yep, huge brainfart there. Thanks! |
|
| Author: | Redhatter [ Wed Feb 16, 2011 1:16 pm ] |
| Post subject: | Re: HUGE security vulnerability with Yubikey? |
Yep, simple solution. I did this with my OpenID server, the patch for it has been sent to the Community-ID bug tracker. Basically when you register for Community-ID, you initially do it using password authentication. Then, when you've activated the account you have the option of enabling YubiKey authentication (single-factor). I extended this to provide two-factor... the prefix of the key for each user is in the database, it takes the length of this, adds 32 to it, and feeds that into substr a couple of times to split user password from OTP. I'll probably look into doing this with YubiPAM if I can't get challenge-response auth going, as this will allow two-factor authentication with slightly-broken PAM clients such as KDM. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|