Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:28 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Sat Feb 05, 2011 1:41 am 
Offline

Joined: Sat Feb 05, 2011 1:29 am
Posts: 8
OK, I am brand-new to Yubikey...

I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on...

However, I am seeing that is apparently not correct.

So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then.

Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Feb 05, 2011 9:44 am 
Offline

Joined: Wed Aug 19, 2009 11:31 am
Posts: 11
Jafo_Jeeper wrote:
OK, I am brand-new to Yubikey...

I thought it used the user's scanned fingerprint as part of the hash to create the OTP and so on...

However, I am seeing that is apparently not correct.

So it seems that if someone has my Yubikey, they can effectively own me. Truecrypt (the reason I bought the key in the first place) is actually LESS secure with yubikey use, then.

Am I wrong? What am I not understanding? I want to use Yubikey in Windows and Linux environs as a boot-level authentication device to unlock my truecrypt-encrypted hard drive.


It is not a security issue because nowhere does it say that it scans your fingerprint. It is meant to be used together with a username and a password i.e. something you know and something you have. You better read up on security engineering...
//A


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 05, 2011 4:55 pm 
Offline

Joined: Sat Feb 05, 2011 1:29 am
Posts: 8
I know security engineering, thank you very much... not all of it, but none of us know everything.

Here's the thing- with Truecrypt, to use the Yubikey as the pass to an encrypted volume, it can store and submit a 64-digit static password.

That static password is, hello, static.

There is nothing else required to decrypt the system partition in the case of an encrypted system partition- no username, other password, nothing.

therefore, anyone that can lay hands on that yubikey and insert it in the USB slot on that machine can decrypt the volume.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 05, 2011 5:14 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
To add a cheap second factor in cases like truecrypt that need a static password, there is a very easy way.

Type in a PIN code first before tapping the yubikey. Now each part (PIN, yubikey) is useless without the other, because the real truecrypt password is a combination of them.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 05, 2011 7:06 pm 
Offline

Joined: Sat Feb 05, 2011 1:29 am
Posts: 8
Excellent idea, why didn't I think of this- we do it at work with our Verisign keys.

Yep, huge brainfart there. Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 16, 2011 1:16 pm 
Offline

Joined: Thu Feb 03, 2011 1:28 pm
Posts: 10
Location: Brisbane, QLD, Australia
Yep, simple solution. I did this with my OpenID server, the patch for it has been sent to the Community-ID bug tracker.

Basically when you register for Community-ID, you initially do it using password authentication. Then, when you've activated the account you have the option of enabling YubiKey authentication (single-factor). I extended this to provide two-factor... the prefix of the key for each user is in the database, it takes the length of this, adds 32 to it, and feeds that into substr a couple of times to split user password from OTP.

I'll probably look into doing this with YubiPAM if I can't get challenge-response auth going, as this will allow two-factor authentication with slightly-broken PAM clients such as KDM.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group