| Yubico Forum https://forum.yubico.com/ |
|
| Two Yubikeys with same public identity https://forum.yubico.com/viewtopic.php?f=3&t=908 |
Page 1 of 1 |
| Author: | alecw [ Wed Jan 09, 2013 4:09 pm ] |
| Post subject: | Two Yubikeys with same public identity |
Hello, If one is uploading material via https://upload.yubico.com/, can you overwrite the AES key etc for someone else's Yubikey if you know their public identity? If an attacker had a keylogger or something (or was able to physically steal the Yubikey for a moment to cause it to emit an OTP) and could get the public identity, could they not minimally cause a denial of service against the victim's Yubikey by overwriting their private identity and secret key? many thanks, alec |
|
| Author: | Tom [ Wed Jan 16, 2013 10:18 am ] |
| Post subject: | Re: Two Yubikeys with same public identity |
Hello alecw, Thank you for your question. First let me define that we are talking about VV keys only. We do not allow users to change their Yubikey pre-configured keys (you cannot have a CC key with a different AES keys then the one is shipped with). Now, in the domain of VV keys, what you are suggesting does not work because there can be associated only one AES key with a public identity (1 to 1 binding). Therefore when you upload a new AES key (NK) and you tell the system to associate it with a certain public_id (PID), the system will first check if that PID exists. If it exists it means that you cannot change the associated key (K) and therefore you will get an error message " this public_id already exists". Thus you will be unable to push the NK and replace the old K. There is a catch though... while double checking before providing you with an answer, we found a bug. This bug, under certain condition may allow you to overwrite an existing AES key of the VV domain, causing a denial of service. Therefore, thank you very much for your post and rest assured that we are going to fix this as soon as possible. Regards, Tom. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|