Yubico Forum

Hi,

I have to say, that I'm really dissapointed by the yubikey 2.2, especially by the static password mode.

I ordered the Yubikey 2 to get a strong static password for my TrueCrypt encrypted System.
When I ordered, I got the impression that I can create really strong/long passwords. What I got is a result I don't trust in.
The following things are freaking me:

The strong password policy of the Personalization Tool (running in: Windows 7, 64 Bit) is useless, because:

- The special character seems to be a ! every time (an attacker could know this => weakening of the password)
- The settings "Mix upper and lower case" and "Mix alpha and numering" are completely useless, because, they influence only the first 5-6 chars and then, only
lower letters are following. And: Most of the time, only 1-2 numbers are used (both: an attacker could know this => weakening of the password)

Some examples:

!45CDtflhvvfuvhjduihduhdctelhgfrbuhthjirdtdcdhcfugcnvdrgfgtbeteun


This points let me doubt, that there is enough entropy at all into the whole password. Maybe, there are other statistical phenomena I can't find due to a lack of competence
here - but an experienced attacker may could!!

The following examples of doubles seem to be support my theory:

!21RHbvtbtrkcbddnndjtifbktbcnjjlhfvblnrcdiitnfvhdjvvfjgbvutvnckir

I analyzed those passwords in two ways:

Analyzing entropy in KeePass and using the Website https://passwortcheck.datenschutz.ch

The result: If I analyze the Password in KeePass, I get around 150-170 bits of entropy. BUT: If I delete those weak, guessable parts (see above!), I only get 110-115 bits. Thats far from what could be possible!
The result of the analyzation Website: It says, that some of those Passwords are WEAK (I got 20-60 from 100 possible points). I think: 'nuff said at this point...


I'm more and more unhappy with this device and even more so, because manual and website don't tell the truth in clear words.

You have to search the forum to find out, that Yubico blames CryptGenRandom for the results, but that is not OK - at least, as long yubico don't offers a manual or tutorial Video that show (based on the current version of the Personalization Tool!!!), how to get really strong, high entropy passwords.


To cut a long story short:

At the moment I don't trust the Yubikey and won't use it for security related purposes. I get the impression, that the Yubikey was a waste of money for me and my purposes.

The crypto analysis you have applied here is somewhat naive. Let me try to explain. I will leave aside the provisions for numbers, non-modhex characters, and the "!" special character for the moment, and discuss them more at the end. Take for now only the max size 64 character modhex encoded password.

You can calculate the entropy in two ways.

Outside in:
Assuming all the characters of a password are generated completely randomly from the character space, and a good random number generator (the one in windows is by far "good enough"), the amount of entropy of the static password can be calculated exactly. You must know the character space used (16 characters) and the number of characters in the password.

A 16 character encoding scheme such as modhex encodes 4 bits per character. Thus our 64 character password has an entropy of (16*4) = 256 bits exactly.

Inside out:
(I will simplify away a few details). The yubikey has two main registers of 16 bytes each. When a maximum size strong static password is generated, these registers are completely filled with random bits. Thus the entropy of the password is 16*2*8bits = 256 bits exactly.

The reason you do not get this result in your tools is that they don't know anything about the theoretical character space used or the randomness of your generator. Thus they must take your single string and try to guess the character space (which they probably assume is ascii, which is incorrect as it's much smaller), and the amount of randomness (almost impossible to do correctly).

If you could pass a long stream of randomly generated 64-character modhex passwords into these tools, and have them analyze the entire corpus, they would converge to a conclusion of approximatel 256 bits of entropy.

256 bits is an insanely secure password and completely impractical to brute force. In fact it is likely that the hash stored by any given security service is only 16 bytes long (MD5). This means the password could have twice as much entropy as the hash which protects the account! Anyway, you are far more susceptible at this stage to other forms of attack such as the password being intercepted by a key logger or from some other "man in the middle" attack.

Now, let us talk about the special characters and alphanums. Those are not added to the yubikey to increase strength (which is already known to be 256 bits). They are added only to appease password entry systems which assume any password that does not contain numbers and other characters must be weak. These systems ASSUME human created passwords and have no facility to test the actual strength, even simple guessing like keepass does.

So in the past before 2.2, we know the password is strong, but still can't use it on these systems. My recommendation was always to add some characters yourself before pressing the yubikey button. This is still a great idea, because then a short amount of the password is "in your head" only, which mitigates the danger of getting your key stolen. It adds a little bit of "two factor" benefit, even though of course a man in the middle could still steal the entire password after you enter it.

Anyway, in 2.2 you can now sprinkle in some special characters to appease simple-minded password systems that use presence of numbers, case, and specials as a way to gauge complexity. As shown above, the yubikey static password strength does not rely on these factors.

OK, you say, but why not just use a much larger alphabet than the 16 modhex characters, wouldn't that add entropy? Well, go back up to the "inside out" analysis. We only have a total of 32 bytes of register to store data in. You can emit this as 64 characters if you use a language of 16 symbols (modhex). You can emit it as 256 characters in a language of binary (0 or 1, a or b, etc). Or other length depending on the character language you use. But no matter what way you output the information, it still carries precisely the same entropy.

If you want to actually add REAL entropy, you have to have more memory in the device to use than 32 bytes, and fill that up with randomness. Bigger memory in the key would cost money, size, weight, programming overhead, and other design decisions that yubico would have to make. But why, when they are already generating 256 bit entropy passwords, would they even bother with such a thing?

Lastly, don't be too worried about repeated characters. That kind of thing only helps you if you can make predictions about the kind of repetition that is being used. With totally random generation, you should expect a small amount of clustering. To your human eye, you would rather that no observable pattern be found. But in fact, if the passwords were limited to only things that "looked evenly distributed", that would severely *decrease* the effective entropy. A clever attacker could use the knowledge that the passwords were unlikely to have any repeating parts to prune their brute forcing technique and only try things that a human would see as "random enough". Don't let your pattern seeking nature fool you into thinking the entropy is any less than it really is!

I hope this helps lay some of your concerns to rest.

Thanks, ferrix for a good elaboration on this topic.

A few additional comments is that it is important to understand what the static mode is good for.

We've discussed the static mode before and the "weak" properties of a >= 128-bit random string, generated by CryptGenRandom. As the default mode only uses the 16 Modhex characters, a general-purpose password strength checking tool analyzing the output of the static Yubikey would give an invalid result.

Without trying to release a cloud of grey smoke, in order to remove your doubts, use a tool like http://www.grc.com/passwords.htm , which undoubtedly generates good random passwords. Go there and check it out. Analyze the result using your favourite tool. Take the hexadecimal input and input it as static input to the Yubikey using the new feature "Fixed input 32-64 characters" in the configuration tool. Check the output of the Yubikey again and see what the tool says. We've not done anything to lower the entropy, but here the tool (at least the ones I've seen) reveal their limitations.

Another litmus test is to take a generated static output, let's take cbdefghijklnrtuvdfedtbdntinvkidijigcnbejchntgnrd as an arbitrary example. Let's assume I've taken this 128-bit output from my temperature-quantum noise-lava lamp-radioactive decay source, making it complete random. I've just coded the 128-bits binary string into 32 Modhex characters.

1. Take some tool like http://www.passwordmeter.com/ and check the string. We get score 24% which is weak !! (how could possibly any 32 character password be weak ??)
2. Take the same string again, but replace for example all "c" with "3" and run the test again.
3. Voilá - we're now up to 99% and the output is now "very strong". Hey - we didn't do anything to the entropy really, did we ?
4. Now add some extra obfuscation - replace say all "b" with "$", "h" with "H" and "u" with "U" and we're up to 100%

Ergo – by simply making a simple substitution change to the Modhex coding, we increase the strength from 24% to 100%. I guess this somewhat tells what this is about.

As a final word, the '!' and numeric input feature is just to "fool" systems with password policies, requiring non-alpha input. It does nothing to increase the entropy and it has never been the intention.


With the best regards,

JakobE
Hardware- and firmware guy @ Yubico