Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Sep 07, 2017 7:10 pm 
Offline

Joined: Thu Sep 07, 2017 5:16 pm
Posts: 9
I have read all the documentation that i have found and this is what i have understand so far;
i'd like that a moderator confirm or deny my findings 1,2,3...; a yes or no for each point enough.
i know that there are many points but i hope that this can be useful also for other users as introduction to yubikey features and to understand possible attacks.
thanks <3

here "evil pc" means a compromised computer that can do anything a person in front of that computer can do (but can't touch the yubikey button)
while "bad person" means a person that can do everything "evil pc" can do and can *also* press the button

1- YubiKey4 has multiple *indipendent* parts (called applets):
- slot1
- slot2
- U2F
- CCID (smart card) to be used with yubico authenticator to store TOTP/HOTP
- PIV (i don't plan to use it nor i studied its details)
- OpenPGP

2- these are all the parts and i have not missed any

3- two slots can be locked/protected by using "configuration protection" and when protection is enabled *noone* even with physical access (so that can press the button) can disable it; configuration protection does this: prevent slot editing, resetting, disabling, reprogramming.
note that bruteforcing the code is not a problem for me, i think that it is infasible.
so an evil infected computer can do nothing, while any person can use it by touching the button as they were me.
while if i leave it unlocked an evil pc/person can lock me out forever (from editing it).

4- U2F can't be personalized/edited it is something that can only be turned on or off using yubikey manager

5- CCID (smartcard) can't be protected from resetting. i can add a password to prevent unauthorized access but i can't prevent resetting the applet to a factory default (empty).
so if the password is present, the best attack that a person with physical access (or an evil compromised pc) can do is a denial of service (deleting all credentials); again bruteforce password is no problem.

6- OpenPGP normal use can be protected from abuse by a virus by using this script: https://github.com/a-dma/yubitouch/blob ... bitouch.sh
with it you have to:
-set button to ON for all three keys (button required before it operate)
-set the button to FIX so that it can't be edited (turned off) with the same/any script
this is important because whitout it a virus can use a keylogger to log the pin and abuse the key while it is inserted to decrypt all what he want without user noticing. and thus the yubikey would be *USELESS*.
more info on this topic here: https://www.qubes-os.org/doc/split-gpg/
i understand that decrypting something on a compromised pc will allow the attacker to read it and encrypting something is useless because the attacker has an unencrypted copy.

7- OpenPGP can't be protected from a reset so a evil infected pc or a bad person can reset the applet following this procedure: https://developers.yubico.com/ykneo-ope ... pplet.html

8- what happens after the procedure at point 7 is followed?
-applet is resetted to factory default (empty)? (denial of service; i can always rewrite keys from a backup)
-pin retry count and pin value are restored to default value 123456(78) without losing the private key?
-other?

9- CCID (smart card) can store 32 credenials and is designed to be used only with yubico authenticator and i'm not missing some other uses/feautures of it.

10- is present a protection against bruteforcing?
-openPGP yes there is pin
-slot configuration protection? (for example try three codes and then you need to remove and attach again the key to try again)

11- i can mess, do experiments, click here and there wihout worring of doing a permanent damage with the exception of "configuration protection" code. everything else can be resetted/unlocked/restored to default.
this is probably the most important point, if you say that i don't risk to permanently lock the device i can do experiments to veryfiy some points myself (for example what happens when you give wrong pin many times and what the openPGP reset procedure does)

12- for each thing that can be stored the device is write-only and there is no way (by design) to read its private data back. (i understand that in future a sidechannel might be found or some other unknown bug).

13- what happens if i disable a feautre using yubikey manager? it is like hide and show (without losing any data) or it also reset that applet?

Thanks for your time and help.


Last edited by nesos on Sun Sep 10, 2017 9:41 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Sep 09, 2017 1:13 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
1 - correct
2 - correct
3 - correct
4 - correct
5 - mostly correct. The three CCID applets - OATH, OpenPGP, PIV can all be reset if a person has physical access to the key. This resets the applet to default state, deleting any stored credentials.
6 - correct
7 - correct, see 5
8 - see 5, PIN and Admin PIN restored to default, any identities or personal information deleted
9 - this is called OATH, and yes it's essentially a Google Authenticator replacement where secret keys are stored in hardware - https://github.com/Yubico/ykneo-oath. It's also only 1/3 of CCID (OpenPGP and PIV as well).
10 - No on configuration protection, attempts can be made indefinitely without a power cycle
11 - correct, the only things that can't be recovered from: (1) deleting the slot 1 OTP credential. You can program a new Yubico OTP credential but the Yubico programmed one cannot be restored. (2) setting an access code on one of the slots cannot be undone if you forget the code. (3) registered U2F credentials cannot be deleted (must be deleted from the service side, not the YubiKey).
12 - correct
13 - it just "hides" the feature. No credentials stored on the disabled mode are lost/altered.


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 10, 2017 9:43 am 
Offline

Joined: Thu Sep 07, 2017 5:16 pm
Posts: 9
Thanks for your great help!!
now that i got how it works i think that yubikey is even better than what i expected


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group