Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:05 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Wed Aug 20, 2008 8:02 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
Impersonation is not the only issue with a compromised AES key. The other issue is Denial of Service. They do this by forcibly advancing the counter to the max, and authenticating with that token. Once that happens, the Yubikey is effectively bricked as far as further online use goes.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Aug 26, 2008 10:26 am 
Offline
User avatar

Joined: Fri Aug 01, 2008 8:36 am
Posts: 21
Simon wrote:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon



1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...

I agree that its more secure since the OTP goto server to expire immideately.

2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.

Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?

_________________
Alex Silonosov
CEO at Rohos
http://rohos.com


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 02, 2008 10:40 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
Rohos wrote:
Simon wrote:

1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com).

2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely.

What do you think?

Thanks,
Simon



1. It a good idea, BUT ONLY if you have a desktop PC with a 100% live internet connection. This case exist only theoretically or in corporate environment.
I have a notebook , and when I go home sometimes its doesnt switch automatically to my wifi net or doesnt switch at all (buggy vista or acer e-net services).
Also sometimes depending on a Windows configuration internet connection may not rise up on the logon screen. So you will need to wait...

I agree that its more secure since the OTP goto server to expire immideately.

2. The only possible attack in this case is that Trojan will record the OTP and send it to bad guy. For this reason, yes I do agree.

Maybe we can mix 1 + 2 , so logon immideately by offile validation, then when user logged on connect with a OTP server in the background to expire otps. If there is no web, then wait for next time. Do you have an API for that on the server?


The API would be the same as for verifying an OTP: if you send any OTP to our server (even if you used to authenticate locally) it will be expired globally.

However, it is problematic to have two servers generally, so I would recommend that offline verification is always used against an AES key that isn't known to our server. You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it. Then it is only usable for Windows login, but that is the tradeoff.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 02, 2008 6:29 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
Simon wrote:
You could integrate our personalization library in your application, so that when a user wants to use a YubiKey for Windows login, she needs to reprogram it.


It's a nice idea Simon, but for us windows programmers.. the personalization COM app doesn't work in Vista and there's no source code released for it.

(I'll just keep posting about it until someone at yubico finally answers :)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group