Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:47 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Aug 16, 2016 9:21 pm 
Offline

Joined: Tue Aug 16, 2016 9:08 pm
Posts: 1
Hello, I've been lurking around the forum for a while and am just starting to seriously integrate a Yubikey 4 into my life.

My question: The Yubikey 4 states that (with the help of the Authenticator app) it can store up to 32 OATH-TOTP credentials. The NEOs can store up to 28. The language implies that there is a hardware security component to the storing/securing of the OATH secrets. Is that the case? Are there any resources or description of how these secrets are secured. I especially want to know that the secrets aren't stored on the host computer.

Appreciate it!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Sep 03, 2016 3:58 am 
Offline
User avatar

Joined: Fri Aug 26, 2016 5:44 pm
Posts: 25
Location: Rochester, New York, USA
webmonarch wrote:
Hello, I've been lurking around the forum for a while and am just starting to seriously integrate a Yubikey 4 into my life.

My question: The Yubikey 4 states that (with the help of the Authenticator app) it can store up to 32 OATH-TOTP credentials. The NEOs can store up to 28. The language implies that there is a hardware security component to the storing/securing of the OATH secrets. Is that the case? Are there any resources or description of how these secrets are secured. I especially want to know that the secrets aren't stored on the host computer.

Appreciate it!

They're (should be) stored in a secure element on the token itself (as are PGP keys, x509 cert/key combos, and all other secrets). In theory, it is physically impossible extract the secrets from the secure element without a not-so-small fortune and destructive methods (we're talking government lab, and then there's still no guarantee). No, they're not being stored on the host machine.

I'm finding it remarkably difficult to find a good explanation of how it does this, and so unfortunately I just have to say it's a simple device that only has a handful of instructions, none of which include output of the key. It checks a pin, it lets you replace existing keys in pre-defined "slots," it will perform specific and predefined mathematical operations on input combined with the key, and output the result. This solid state device does not actually have the instructions or capability to output the key itself, and obtaining what's stored in it otherwise would be difficult, costly, and destructive, with a low chance for success (and you have no way to make a copy to play with, either, like you can with even an encrypted HDD or SSD).

_________________
Keybase User: sporkwitch
PGP Public Key: B54A 454A 2B29 9D83 0201 CB1B C136 07BD 83A9 E927


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group