Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:12 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Mon Jun 16, 2008 3:21 am 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
Hi guys,

I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me.

For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem.

Cheers

Phil Massyn


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 16, 2008 4:54 pm 
Offline

Joined: Sun Jun 15, 2008 1:53 am
Posts: 4
Simon wrote:
To clarify, if anyone wants to get the AES key in their own yubikey, just send me an OTP for your device and we'll take care of it manually.

This thread is about how to do this "properly" in the future.

/Simon



Ops!, I'm sorry, I do want my AES key and have sent you a PM with a OTP of my yubikey.

pablot


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 30, 2008 1:57 am 
Offline

Joined: Sun Jun 15, 2008 1:53 am
Posts: 4
Hi Simon, can I send you my GnuPG public key and a couple of OTP from two yubikeys so you can send me an ENCRYPTED email with the two AES keys?

Thank you,
Pablo

PS: please let me know your email address so I can email you.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 31, 2008 2:33 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com

Cheres :geek:

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 01, 2008 12:37 am 
Offline

Joined: Sun Jun 15, 2008 1:53 am
Posts: 4
paul wrote:
Yes, it is the way it works before Simon implements the state-of-art way of delivery. You can email your 2 OTPS as proof of possession and you GPG (or PGP) key to Support@Yubico.com

Cheres :geek:


Ok, thank you. I've just sent the email. :D


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 11, 2008 7:10 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Folks, here is a new way, the web way of doing it here and now:

viewtopic.php?f=5&t=185

Cheers

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 12, 2008 9:32 am 
Offline
User avatar

Joined: Sun Aug 17, 2008 7:06 pm
Posts: 11
Location: Switzerland
Massyn wrote:
Hi guys,

I would propose that for developers, how about including the AES key printed on the invoice being included with the shipping? I would not want to get it through the web, for the risk of someone hijacking my OTP and getting the AES key before me.

For large quantities, I would prefer a secure https web delivery method, where 1 of the Yubikey's in the package should be a "special" one that is required to unlock the website, call it a bright shiny red Admin key, not for general use, simply for the admin page on Yubico. When ordering a few hundred keys, having 1 extra for admin purposes wouldn't be a problem.

Cheers

Phil Massyn


I definitely agree to what Phil said. It can not be that someone can just use one or two OTP's of a YubiKey and get the full AES key. It doesn't matter by what means (https, PGP, etc)! That's just not secure, and we talk about security if we talk about the YubiKey. It would undermine the security of all YubiKey's out there.

The proposal of Phil's is probable a feasible and secure way and it assures that only the receiver of one or a bunch of YubiKey's can get access to the original AES key's. The process described is pretty secure and it addresses single key handling as well as high volume handling with the 'red-key'.

Of course, at the current state it might be that in some exceptions the 'current process' is applied. But for the future, a secure process needs to be implemented.

_________________
YubiKey & OpenID/SAML => web security without compromising usability!


Last edited by Robert on Sat Sep 13, 2008 2:14 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 13, 2008 6:40 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Robert & Phil,

Agreed fully!

Thanks

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group