Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:48 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jan 08, 2009 10:30 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
I am posting for dallen, since he has set his yubikey to static password mode, and this forum is impossible to use without a yubico-programmed key. Below is my (slightly edited) transcription of his help request:

dallen wrote:
I purchased the Yubikey to use as a static password token with TrueCrypt's pre-boot authentication. The Yubikey does not seem to function during the pre-boot stage. I get nothing out of the Yubikey except a continuous and perpetual flashing green light.

The problem occurs during TrueCrypt's pre-boot screen which is prior to the OS booting. My laptop is a Voodoo (prior to being acquired by HP). It has an Intel Centrino with 2 gigs of ram and a 100Gb harddrive. The BIOS is called Insyde.

My desktop is a system that I built myself and is fairly new. It has an EVGA motherboard (122-CK-NF68-A1) that runs Phoenix BIOS and has the 680i chipset. It has 4Gb of Corsair Dominator RAM. The processor is an Intel E6600 Core 2 Duo. It has an EVGA e-GeForce 8800GTS 640 MB graphics card (640-P2-N821-AR).

Regarding how TrueCrypt is set up, I have version 6.1a with whole drive encryption on the system. Therefore, when you power up the system after the BIOS initiates you are greeted with a welcome screen that asks for the password. If you fail to input the correct password, the system does not boot. If you enter the correct password, the decryption is done on the fly and the system boots. This is the stage that I would like to utilize the Yubikey.

Currently, my USB keyboard on my desktop allows me to input text. However, booting that same system even with the Yubikey inserted into the same USB port that my USB keyboard was inserted yields no output from the Yubikey upon prompting with my finger.

If there is any additional information that will be of use, please ask.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jan 09, 2009 3:43 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thank you for sending this information. We will look into it and get back to you as soon as possible.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 10, 2009 5:49 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
I recently got a question in this matter and yes - the Yubikey does not include the "Boot interface subclass" which means that it does not work until the operating system has booted up.

This is "by design" and given the intended usage, I could not really see any reason to make it available "pre boot".

But with the introduction of the static OTP feature, this may have changed. Please give feedback if you see any reason to change this behavior in a future firmware upgrade. It is not a big deal to change it if needed, but a good motivation would be appreciated.

With the best regards,

JakobE
Firmware- and hardware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 10, 2009 8:25 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
JakobE wrote:
Please give feedback if you see any reason to change this behavior in a future firmware upgrade. It is not a big deal to change it if needed, but a good motivation would be appreciated.


Any whole-system encryption software such as Truecrypt will require password entry at this stage. There are several people who bought yubikeys thinking they could do this (there was a mention of this use on the Security Now podcast)

Your site touts truecrypt compatibility. You should make a disclaimer that it cannot work with truecrypt when it is used to encrypt the system drive.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 10, 2009 10:00 pm 
Offline

Joined: Sat Jan 10, 2009 9:55 pm
Posts: 2
I just purchased 2 Yubikeys for use in pre-boot authentication on my new netbook, based upon info I heard on a Security-Now podcast.

It would be fairly disappointing to find they would not work for me this way. So, yes, please make the firmware upgrade that enables this.

- Tom


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 10, 2009 11:34 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Well - then it seems like this feature has changed status from a "nice to have" to a "must have".

Therefore, I've just put together an unofficial 1.3.3 version with an updated descriptor making it a pre-boot HID device. Computers with a reasonably modern BIOS supporting USB keboards at startup should therefore detect and enumerate the Yubikey at POST stage.

I beleive this fixes the issue but as I'm not a TrueCrypt guy, I'm not the right one to test it in its intended context. Guinea pig candidates who intend to use TrueCrypt at startup are therefore welcome to ask for a 1.3.3 Yubikey. I can send out a few in beginning of the coming week with priority mail.

Please send an e-mail to jakob at yubico dot com and I'll ensure that the keys get sent right away, free of charge. Although I can probably back-track orders via our shipping guys to get a delivery address it really helps if you supply your delivery mail address.


With the best regards,

Jakob E
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 10, 2009 11:41 pm 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
JakobE wrote:

I beleive this fixes the issue but as I'm not a TrueCrypt guy, I'm not the right one to test it in its intended context.


Jakob, before sending them out I recommend you set your system to use a BIOS boot password and see if the new yubikey works with that in your lab.

Or maybe you already did that and now only want to check for truecrypt users?


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 11, 2009 1:38 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
That has been done and it is verified that the Yubikey emits its string in the BIOS setup now. Given that the green light goes into steady state directly after POST is also a reliable sign that the behavior has changed with this fix.

It is not an "obscure" fix or very much of a questioning if it works as such. Up until 1.3.2, the device does not include this function so it really can't work. Now, the device is set to have the HID sub class 1 and protocol 1 which means it is a boot device.

Under Windows this can be verified under the Device Manager:

1. Fire up the Device Manager
2. Locate the Yubikey under Human Interface Devices
3. Check the "Details" tab
4. Locate the "Compatible IDs" item in the drop-down list.
5. SubClass 00 and Prot 00 indicates that it is not a pre-boot device. SubClass 01 and Prot 01 indicates it is a pre-boot device.

I am just keen to have it verified that it really works with TrueCrypt and that there is no other quirk that needs to be fixed in order for it to work in a pre-boot environment.

Regards,

Jakob E
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 11, 2009 5:19 am 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
JakobE wrote:
That has been done and it is verified that the Yubikey emits its string in the BIOS setup now. Given that the green light goes into steady state directly after POST is also a reliable sign that the behavior has changed with this fix.


Good. I do not mean to doubt your testing ability :)

Myself I am not using Truecrypt but I know others are monitoring this thread and I'm sure you will get requests to fill your testing. If not let me know and I can ask for volunteers from GRC.


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 11, 2009 8:51 am 
Offline

Joined: Sat Jan 10, 2009 9:55 pm
Posts: 2
JakobE wrote:
Well - then it seems like this feature has changed status from a "nice to have" to a "must have".

Therefore, I've just put together an unofficial 1.3.3 version with an updated descriptor making it a pre-boot HID device. Computers with a reasonably modern BIOS supporting USB keboards at startup should therefore detect and enumerate the Yubikey at POST stage.

I beleive this fixes the issue but as I'm not a TrueCrypt guy, I'm not the right one to test it in its intended context. Guinea pig candidates who intend to use TrueCrypt at startup are therefore welcome to ask for a 1.3.3 Yubikey. I can send out a few in beginning of the coming week with priority mail.

Please send an e-mail to jakob at yubico dot com and I'll ensure that the keys get sent right away, free of charge. Although I can probably back-track orders via our shipping guys to get a delivery address it really helps if you supply your delivery mail address.


With the best regards,

Jakob E
Hardware- and firmware guy @ Yubico


Jakob -

You've got mail.

I'll be happy to test with TrueCrypt and report back here.

- Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group