Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:55 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 15 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Fri Dec 19, 2014 9:33 pm 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
Public release of an updater creates a denial of service attack vector against deployed NEOs if, as I expect, it wipes the user data on the NEO.

U2F requires the device to have an attestation certificate attesting to its provenance. Yubico would dilute the value of their attestations if they distributed an update that attests a device outside their physical control.

Public release of an updater might assist with the creation of fake NEOs.


It is possible that my three concerns above could be overcome, especially if publicly distributed new firmware will only install on a device that authenticates itself as a NEO with existing firmware. Even so, distributing an updater has costs for Yubico that they cannot recoup, especially in terms of technical support.

I know the norm these days is for firmware updates to be distributed freely, but security devices require a different way of thinking. If you buy a device and an advertised feature does not work correctly, you have a case for replacement or refund. However, you do not buy any sort of entitlement to future enhancements.


The NEO is an inexpensive device for the functionality it now has.

An OpenPGP smartcard 2.0 is EUR16.40 from Kernel Concepts, or EUR17 if you want a card with an ID-000 size breakout ("mini SIM" size). A USB ID-000 reader is EUR18, so that's EUR35 for a USB device that only supports OpenPGP, has no contactless functionality and is less physically robust than a NEO. This device does support 4096 bit RSA keys, unlike the NEO, but 4096 bit RSA keys have relatively little additional entropy over a 2048 bit RSA key.

A Gemalto IDPrime PIV card is available in dual interface format from Gemalto's web store for EUR37.34. Unlike the NEO, these cards are approved for US Government and NATO use, but this is of little value to the average NEO purchaser. As a dual interface card, it supports contactless but cannot be cut down from credit card size.


On the day I'm writing this, Yubico are selling NEOs for US$50, which is around EUR41 depending on the exact exchange rate you use. Even an older NEO with 3.2 firmware would give you OpenPGP and PIV functionality, as well as the OATH applet and the Yubikey OTP slots with a pre-personalised YubiCloud OTP credential in Slot 1.

If you buy now, you get a device with 3.3 firmware which also offers U2F functionality on USB.

The NEO is more robust and easier to carry than either of the comparison devices I've given. It needs no expensive proprietary middleware for full functionality (a drawback of the Aladdin eToken devices I used to use) and merely needs a USB port or suitable contactless reader to use.


At the moment, U2F is of limited value - it works with Chrome against Google via the USB interface only. The standards for U2F over a contactless interface have yet to be finalised, so it is unclear whether whatever support exists in the 3.3 NEO firmware will comply with the final standard.


When browser and site support for U2F has grown, the U2F over contactless standard is ratified and the NEO firmware has had chance to mature further, there is more of an argument for buying a new device.

In time, I expect the OpenPGP applet to support elliptic curve keys. Elliptic curve support has finally been released in GnuPG 2.1, though I'm not sure there is a version of the OpenPGP smartcard standard with elliptic curve key support yet. I realise it will be many years before elliptic curve PGP keys are usable outside small closed groups, as users are typically rather slow to update to new security software versions.

The NEO might migrate to a newer hardware platform that fully supports 4096 bit RSA keys and SHA512 (the latter is needed for a Bitcoin wallet app).

One feature I miss from the eToken is the ability to carry intermediate certificates on the device, which is a feature I didn't find in my reading of the PIV standards, so the public CA issued certificates I have in the PIV applet don't chain to a public root via plug and play.


There will undoubtedly be further enhancements from Yubico and I will have to decide when to replace my NEO 3.3 with the latest version and make my current NEO a backup device. However, unless I lose or destroy my NEO, I expect it to provide the feature set it has today for years to come. It isn't perfect, but it is an inexpensive investment in high grade security offering a wide range of functions in a single device.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jan 14, 2015 9:54 pm 
Offline

Joined: Thu Sep 03, 2009 5:15 am
Posts: 3
ChrisHalos wrote:
Unfortunately there is no method for updating the firmware on pre-3.3 NEOs, and no discounts offered at this time. The cheapest way for an existing NEO owner to add U2F functionality is to purchase a Security Key ($18 with no shipping costs on orders over $35 on Amazon), or $23 with standard US shipping from the Yubico Webstore ($18 + $5 for standard shipping).


What if we mailed in our current/existing Yubikey for a discount? Yubico, the company, can either re-sell them at discounted prices to those that do not want/need updated hardware or destroy them, and we get a discount towards the updated hardware we need? Fair?

~TechStud
Ontario, Canada


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 15, 2015 11:42 pm 
Offline

Joined: Wed Nov 19, 2014 12:11 am
Posts: 31
techstud wrote:
What if we mailed in our current/existing Yubikey for a discount? Yubico, the company, can either re-sell them at discounted prices to those that do not want/need updated hardware or destroy them, and we get a discount towards the updated hardware we need? Fair?


The administrative costs of such a scheme would wipe out the value of any credit, and Yubico would have to pay disposal costs for the mailed in keys. I cannot see any way they could be resold, as each mailed in NEO would have to be wiped of customer data in the apps and tested before resale, which isn't cost-effective.

I know a NEO isn't free but, as I said in my earlier reply, these are relatively inexpensive devices with a high level of functionality, even in 3.2.0 guise.


If you want to upgrade and offset some of the cost, why not put your existing NEO on eBay?


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 19, 2015 9:11 am 
Offline

Joined: Thu Mar 19, 2015 8:59 am
Posts: 1
darco wrote:
Where did they say they could update older keys?

I don't think they have the physical capability to do what you are asking. Being upset about it won't help.

You bought keys that did not advertise U2F. You got keys that didn't have U2F. Just because a later product was released with this feature doesn't mean you are entitled to have that feature added to your older device.


I bought my Yubikey Neo (fw 3.2) with the understanding that: "When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibility.", which is a direct quote from this Yubico FAQ article.

While my main usage of the Yubikey is as a physical PGP key, I was very interested to try out U2F. Now, I'll most likely look to other U2F solutions instead.


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 19, 2015 3:51 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Aug 06, 2014 2:40 pm
Posts: 38
squidbox wrote:
I bought my Yubikey Neo (fw 3.2) with the understanding that: "When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibility.", which is a direct quote from this Yubico FAQ article.

What you're quoting is correct: We ensure that new YubiKeys will function the same as older versions. That is, new YubiKeys are backwards compatible. So if you've deployed a solution including YubiKeys with firmware 3.1, you can rest assured that for example firmware 3.3 will also work with your solution.

This is a different thing from YubiKeys being upgradable ("forwards compatible").


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group