Yubico Forum https://forum.yubico.com/ |
|
Rohos Logon. Windows Login with YubiKey https://forum.yubico.com/viewtopic.php?f=8&t=155 |
Page 1 of 2 |
Author: | Rohos [ Fri Aug 01, 2008 8:44 am ] |
Post subject: | Rohos Logon. Windows Login with YubiKey |
Hi All, Let me introduce Rohos Logon Key with YubiKey support: http://www.rohos.com/yubikey.htm At the moment only Windows XP (x86/x64) are tested. Vista support in progress. Mac OS X login in development plans. Your feedback will be appreciated. Alex Silonosov. Rohos.com CEO. |
Author: | gmik [ Fri Aug 01, 2008 3:46 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
--------- does this work in dynamic otp mode? --------- |
Author: | Rohos [ Mon Aug 04, 2008 3:44 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
Yes it does. |
Author: | Snow [ Mon Aug 04, 2008 9:41 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
When will it support Vista? When will it support Mac & KeyChain? Do you plan to go open source on this project? Thanks for the good work! |
Author: | gmik [ Wed Aug 06, 2008 1:41 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
--------- Rohos wrote: Yes it does. Doesn't seem to (yet?), from this page: http://www.rohos.com/free-encryption/20 ... 8/yubikey/ http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote: 3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID. --------- |
Author: | Rohos [ Wed Aug 06, 2008 2:34 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
gmik wrote: --------- Rohos wrote: Yes it does. Doesn't seem to (yet?), from this page: http://www.rohos.com/free-encryption/20 ... 8/yubikey/ http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote: 3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID. --------- Sorry, it doesnt now. But we can do it if community will insist |
Author: | Rohos [ Wed Aug 06, 2008 2:36 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
Snow wrote: When will it support Vista? When will it support Mac & KeyChain? Do you plan to go open source on this project? Thanks for the good work! Today we published new update with Windows Vista (x64/x86) support. As for Mac's, I think we will make it in Octomber, as now we are making wireless lock by using Bluetooth enabled mobile... |
Author: | Simon [ Tue Aug 19, 2008 2:25 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
Rohos wrote: gmik wrote: --------- Rohos wrote: Yes it does. Doesn't seem to (yet?), from this page: http://www.rohos.com/free-encryption/20 ... 8/yubikey/ http://www.rohos.com/free-encryption/2008/07/28/yubikey wrote: 3. In current release Rohos doesn’t check generated OTP on the server, or OTP validity. It only checks the key’s ID. --------- Sorry, it doesnt now. But we can do it if community will insist I think it would be an excellent addition for your software, and would make more people interested in it. I believe you could have two modes: 1. Online validation. The OTP is validated against our server. This requires that the machine always has a working network connection. The user should configure the HMAC-key to use for validation and be able to change the server address (normally api.yubico.com). 2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely. What do you think? Thanks, Simon |
Author: | PatrickN [ Tue Aug 19, 2008 2:54 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
Simon wrote: 2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely. Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP. How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access. |
Author: | Simon [ Tue Aug 19, 2008 3:27 pm ] |
Post subject: | Re: Rohos Logon. Windows Login with YubiKey |
PatrickN wrote: Simon wrote: 2. Offline validation. This is for customers who only use the YubiKey for Windows login. The user needs to configure the software with the AES key, and it needs to keep track of the highest counter value seen so far for each yubikey. The YubiKey shouldn't be used for any other purpose in this mode, since there is no way to synchronize OTP re-use securely. Could you expand on this a little please, I am not sure I understand the problems associated with synchronizing the OTP. How would this work for a typical corporate Laptop user? Most of the time they are in the office connected to the corporate LAN and validating online. But also have a need to travel away from the office possibly with no net access. First, let's restate the problem: The problem is that if you validate an OTP using the same AES key that api.yubico.com uses, the OTP you verify will be re-usable again on the api.yubico.com server. It will also be reusable on any other system that also validate OTPs based on the AES key. The reason is that the counter values aren't synchronized. The simplest solution is to only permit the YubiKey to be used for Windows login. Nothing else. Then you can use our personalization software to write a new AES key into your Yubikey, and configure your Windows login software to use that AES key. Your software needs to remember the counter values, so that you can't replay an OTP against it. However, since it is the only software that validates the OTPs, no synchronization is needed. There aren't any really good solutions to synchronize OTPs. You could make the Windows login software send the used OTPs to api.yubico.com when it becomes online, but there is a time window when someone could use these tokens if they could get access to them. There is also the security problem of having the AES key stored on your Windows platform, which is hardly immune to Trojans etc. If your AES key is compromised, someone can impersonate you on any service that supports Yubikey. /Simon |
Page 1 of 2 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |