Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:02 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Apr 06, 2012 8:07 pm 
Offline

Joined: Fri Apr 06, 2012 7:57 pm
Posts: 2
I would like to use the yubikey as a way to both authenticating and decrypting resources on a remote system - so the authentication is handled by the normal OTP functionality, but I would also like to be able to include a decryption key not know by the server.

But the only private payload that I can send (as far as I can tell) is the private "ID". 6 bytes is 48 bits, which is a little small for an encryption key. So my question is, is there any way of storing more private data? Like can I somehow fix the 16bit random number to be a known constant, yielding 64 bits total (which is still small, but might be enough, at least as a proof of concept).

Anyway, I know this is not exactly what the yubikey is designed for, but I think it could have real potential - as more and more computation is done via the web, the inherent problem of permanently storing decryption keys serverside (or not encrypting data at all, as it is basically equivalent) becomes more of an issue. In theory it is simple to send a decryption key every time you use a service, but for it to be realistic, it has to be practical, and it seems like the yubikey (with just a tiny bit more data) could make this really easy, as it is already capable of sending a tamper-proof secret payload.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Apr 07, 2012 8:33 am 
Offline

Joined: Wed Aug 19, 2009 11:31 am
Posts: 11
Yes, you could program a static password http://www.yubico.com/static-password


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 07, 2012 4:44 pm 
Offline

Joined: Fri Apr 06, 2012 7:57 pm
Posts: 2
andlil wrote:
Yes, you could program a static password http://www.yubico.com/static-password


Doing that would be vulnerable to replay attacks, which would be definitely non-optimal. I would like to retain the security of OTPs, but just deliver a slightly larger payload.


Top
 Profile  
Reply with quote  
PostPosted: Sun Apr 08, 2012 8:52 am 
Offline

Joined: Wed Aug 19, 2009 11:31 am
Posts: 11
dbp wrote:
andlil wrote:
Yes, you could program a static password http://www.yubico.com/static-password


Doing that would be vulnerable to replay attacks, which would be definitely non-optimal. I would like to retain the security of OTPs, but just deliver a slightly larger payload.


How about OTP in slot 1, to mitigate replay attacks, and a static password/encryption key in slot 2?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group