|
I've been doing a lot of thinking about the security of my Yubikey against NFC denial of service attacks(which is completely insecure against), and I think I've got some changes that would significantly mitigate any damage that an unknown attacker could achieve via NFC.
These changes seem like they would be easy-to-implement and would contribute greatly to my own peace of mind, without preventing people from doing what they've already been doing if they don't care about this kind of attack:
PIV Applet
Add the ability to configure the Yubikey NEO PIV applet (using a command which requires the management key) to behave according to SP 800-73-3 with respect to NFC. As in, I'd like to be able to configure the applet to only allow the retrieval of the CHUID, Discovery object, and the cert for key 9E, as well as only allow signing for key 9E, when accessed via NFC. All operations that would require a PIN wouldn't be allowed over NFC, and any attempt to even authenticate with a PIN wouldn't be allowed either(preventing the pin retry count from being exhausted). This prevents someone from locking me out of the PIV app via NFC.
OpenPGP Applet
Add the optional ability to configure the Yubikey OpenPGP app to disallow access via NFC.
OATH Applet
Prevent the app from accepting a command to reset the app over NFC unless the reset command is authenticated. (The reset command can still be sent unauthenticated via USB)
NDEF Applet
Allow the user to disable the NDEF applet.
|
Login
FAQ
Search
