Yubico Forum :: View topic - AES Key Distribution, how do you want it?

Hi guys,

I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me.

For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem.

Cheers

Phil Massyn

Author:	Massyn [ Mon Jun 16, 2008 3:21 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
Hi guys, I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me. For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem. Cheers Phil Massyn

Author:	pablot [ Mon Jun 16, 2008 4:54 pm ]
Post subject:	Re: AES Key Distribution, how do you want it?
Simon wrote: To clarify, if anyone wants to get the AES key in their own yubikey, just send me an OTP for your device and we'll take care of it manually. This thread is about how to do this "properly" in the future. /Simon Ops!, I'm sorry, I do want my AES key and have sent you a PM with a OTP of my yubikey. pablot

Author:	pablot [ Wed Jul 30, 2008 1:57 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
Hi Simon, can I send you my GnuPG public key and a couple of OTP from two yubikeys so you can send me an ENCRYPTED email with the two AES keys? Thank you, Pablo PS: please let me know your email address so I can email you.

Author:	paul [ Thu Jul 31, 2008 2:33 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com Cheres

Author:	pablot [ Fri Aug 01, 2008 12:37 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
paul wrote: Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com Cheres Ok, thank you. I've just sent the email.

Yubico Forum https://forum.yubico.com/

AES Key Distribution, how do you want it? https://forum.yubico.com/viewtopic.php?f=8&t=75	Page 2 of 2

Author:	paul [ Thu Sep 11, 2008 7:10 pm ]
Post subject:	Re: AES Key Distribution, how do you want it?
Folks, here is a new way, the web way of doing it here and now: viewtopic.php?f=5&t=185 Cheers

Author:	Robert [ Fri Sep 12, 2008 9:32 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
Massyn wrote: Hi guys, I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me. For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem. Cheers Phil Massyn I definitely agree to what Phil said. It can not be that someone can just use one or two OTP's of a YubiKey and get the full AES key. It doesn't matter by what means (https, PGP, etc)! That's just not secure, and we talk about security if we talk about the YubiKey. It would undermine the security of all YubiKey's out there. The proposal of Phil's is probable a feasible and secure way and it assures that only the receiver of one or a bunch of YubiKey's can get access to the original AES key's. The process described is pretty secure and it addresses single key handling as well as high volume handling with the 'red-key'. Of course, at the current state it might be that in some exceptions the 'current process' is applied. But for the future, a secure process needs to be implemented.

Author:	paul [ Sat Sep 13, 2008 6:40 am ]
Post subject:	Re: AES Key Distribution, how do you want it?
Robert & Phil, Agreed fully! Thanks

Page 2 of 2	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/