Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:59 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Jul 23, 2015 7:18 pm 
Offline

Joined: Thu Jul 23, 2015 6:53 pm
Posts: 1
In an attempt to add a hardware component to make pwsafe a bit safer while sharing a database between users, I'm looking into a solution that uses yubikey and HMAC-SHA1.

The plan is to use HMAC-SHA1 on slot 2 with the same secret on multiple yubikeys with hopes that it will make decrypting a pwsafe database difficult for anybody without a properly configured yubikey. I realize if someone actually logged the output from HMAC-SHA1 request and stored the response, it would circumvent the use of the yubikey. We could potentially change passwords frequently to avoid this type of attack, but we also want people to use the solution.

Back to the question... Is there any ability to extract the secret key for HMAC-SHA1 once it is programmed onto a yubikey? I want to make sure nobody else will be able to create additional yubikeys for obvious reasons. I understand CCID and PGP doesn't allow for extraction of keys once programmed, but want to verify the same for challenge-repsponse.

Thanks!


Last edited by h3lix on Mon Aug 24, 2015 8:08 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Aug 18, 2015 2:14 am 
Offline

Joined: Fri Feb 20, 2015 12:44 am
Posts: 3
h3lix wrote:
Back to the question... Is there any ability to extract the secret key for HMAC-SHA1 once it is programmed onto a yubikey? I want to make sure nobody else will be able to create additional yubikeys for obvious reasons. I understand CCID and PGP doesn't allow for extraction of keys once programmed, but want to verify the same for challenge-repsponse.
Thanks!


I don't know whether one can extract the secret key directly from the yubikey, but I will make the observation that if you use a Yubikey with pwsafe, that the secret key is visible from the pwsafe application . Thus if you have one Yubikey that you have used to open the safe, you can do "Manage->Yubikey". When the Yubikey dialog comes up, click "Show" and it will display the secret key.

Is the key stored in the pwsafe database, or is it able to download from the key itself? I can't answer that question. It seems like one of these two possibilities must be true.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 20, 2015 10:35 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
No known methodology is known to extract data to this date 2015-08-20


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group