Yubico Forum

Q: What do you use for a source of entropy on the device? How cryptographically secure is the PNRG on it? It seems hard to implement a robust PNRG on such a small device. Is the device firmware-upgradable by any means? Or is it hard-coded once it leaves the factory?

A: Yes, there are counters that can wrap if the device is used heavily. One can always argue if these limitations are sound, but we beleive it will be more than enough for most users.Our math and our rationale in this matter is as follows:

Use counter is 15 bits and the session counter 1 byte. Briefly, this means that the device can generate 32768
OTPs after power-up, and while powered, 256 OTPs can be generated. The worst case is a user that only generates one OTP at each power-up and the lifetime would then be
limited to 32768 OTPs. That may sound like a small number, but assume an average of 10 generated OTPs per day. That means that the device would be okay to usefor almost hundred years... Generating 100 OTPs per day would allow it to be used for about 9 years.

Allowing the 15-bit counter to wrap would open up for a potential replay of previous OTPs. The server could of course keep old OTPs and rely on the RNG to track such attempts. As there is no obvious sign of a wrap,an attacker could not tell if it is meaningful to do a replay. But, we think this should not be necessary to use at all.
Bottom line: We sincerely believe this is not anything that limits the lifetime of the device. Considering such intensive usage, the device would most like die of wear and tear during that timeframe.

Regarding the random number, it is actually quite good as we have some non deterministic and stochastic hardware properties on-board. The RNG itself is a
16-bit LFSR and it is fed by a temperature- and chip dependent oscillator and a high-speed oscillator. The touch key generates a highly unstable, temperature
dependent and chip-dependent (not the same chip as the first one) frequency, which varies wildly with the proximity of the finger.

We're currently using a standard USB chip and are somewhat in the hands of our vendor regarding the physical security of the chip. We are in the process of developing a custom chip, having all hardware protection features on-chip.

Ok that make 32767 value but what happen to the 16 bits?
is it reserve?
is it already assign to something else?

Thanks
Patgadget

_________________
Patgadget
Montreal

The 16th bit is reserved to indicate whether the yubikey was triggered by using the caps-lock or not. Since we have removed this option, we could reclaim the bit but we save this change until we can make a V.2 of the firmware.

/Simon

Let me clarify that the cryptographic security of the device doesn't depend on the random values to be cryptographically secure -- they are just there to add some fuss. Even if they are completely predictable, an attacker should not be able to gain any advantage from this because AES is assumed to be secure against known-plaintext attacks. In other words, known plaintext/ciphertext pairs doesn't help you find the encryption key faster than exhaustive search.

/Simon