Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:04 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Aug 01, 2008 8:44 am 
Offline
User avatar

Joined: Fri Aug 01, 2008 8:36 am
Posts: 21
Hi All,

Let me introduce Rohos Logon Key with YubiKey support:
http://www.rohos.com/yubikey.htm

At the moment only Windows XP (x86/x64) are tested. Vista support in progress. Mac OS X login in development plans.

Your feedback will be appreciated.

Alex Silonosov.
Rohos.com CEO.

_________________
Alex Silonosov
CEO at Rohos
http://rohos.com


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Aug 01, 2008 3:46 pm 
Offline

Joined: Fri Jul 11, 2008 8:30 pm
Posts: 8
---------
does this work in dynamic otp mode?
---------


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 04, 2008 3:44 pm 
Offline
User avatar

Joined: Fri Aug 01, 2008 8:36 am
Posts: 21
Yes it does.

_________________
Alex Silonosov
CEO at Rohos
http://rohos.com


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 04, 2008 9:41 pm 
Offline

Joined: Fri Jun 06, 2008 5:56 pm
Posts: 9
When will it support Vista? When will it support Mac & KeyChain? Do you plan to go open source on this project?

Thanks for the good work!


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 06, 2008 1:41 pm 
Offline

Joined: Fri Jul 11, 2008 8:30 pm
Posts: 8
---------

Rohos wrote:
Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:
3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 06, 2008 2:34 pm 
Offline
User avatar

Joined: Fri Aug 01, 2008 8:36 am
Posts: 21
gmik wrote:
---------

Rohos wrote:
Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:
3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------


Sorry, it doesnt now. But we can do it if community will insist :)

_________________
Alex Silonosov
CEO at Rohos
http://rohos.com


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 06, 2008 2:36 pm 
Offline
User avatar

Joined: Fri Aug 01, 2008 8:36 am
Posts: 21
Snow wrote:
When will it support Vista? When will it support Mac & KeyChain? Do you plan to go open source on this project?

Thanks for the good work!


Today we published new update with Windows Vista (x64/x86) support.
As for Mac's, I think we will make it in Octomber, as now we are making wireless lock by using Bluetooth enabled mobile...

_________________
Alex Silonosov
CEO at Rohos
http://rohos.com


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 19, 2008 2:25 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Rohos wrote:
gmik wrote:
---------

Rohos wrote:
Yes it does.


Doesn't seem to (yet?), from this page:
http://www.rohos.com/free-encryption/20 ... 8/yubikey/

http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote:
3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID.


---------


Sorry, it doesnt now. But we can do it if community will insist :)


I think it would be an excellent addition for your software, and would make more people interested in it.

I believe you could have two modes:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 19, 2008 2:54 pm 
Offline

Joined: Wed Jun 18, 2008 6:51 pm
Posts: 19
Simon wrote:
2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.


Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP.

How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 19, 2008 3:27 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
PatrickN wrote:
Simon wrote:
2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.


Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP.

How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access.


First, let's restate the problem: The problem is that if you validate an OTP using the same AES key that api.yubico.com uses, the OTP you verify will be re-usable again on the api.yubico.com server. It will also be reusable on any other system that also validate OTPs based on the AES key. The reason is that the counter values aren't synchronized.

The simplest solution is to only permit the YubiKey to be used for Windows login. Nothing else. Then you can use our personalization software to write a new AES key into your Yubikey, and configure your Windows login software to use that AES key. Your software needs to remember the counter values, so that you can't replay an OTP against it. However, since it is the only software that validates the OTPs, no synchronization is needed.

There aren't any really good solutions to synchronize OTPs. You could make the Windows login software send the used OTPs to api.yubico.com when it becomes online, but there is a time window when someone could use these tokens if they could get access to them. There is also the security problem of having the AES key stored on your Windows platform, which is hardly immune to Trojans etc. If your AES key is compromised, someone can impersonate you on any service that supports Yubikey.

/Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group