Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:09 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Wed Sep 10, 2008 10:52 pm 
Offline

Joined: Tue Sep 02, 2008 5:11 am
Posts: 5
We are an IT company and have many many passwords that we need to keep track of for the various systems we use internally, vendor systems and client systems. How can I use yubikeys deployed to my users to build a password system that encrypts the passwords stored in the database, but allows the use of the yubikey to decrypt the password when requested?

I can't wrap my head around how the encryption will work. Traditionally, the yubikey is used only to verify that a person is who they say they are. I need to do more than that.

-Chris


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Sep 11, 2008 1:40 am 
Offline

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
Neat application.

Is this a central database or does each user have a separate set of secrets that need to be encrypted?


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 11, 2008 1:50 am 
Offline

Joined: Tue Sep 02, 2008 5:11 am
Posts: 5
Central database of passwords, it'll be a web application. I can either encrypt once, or each time for each yubikey if I need to. I just don't know how to do the encryption. How can I use the yubikey to authenticate and encrypt the passwords for each user to view? I specifically want to require the yubikey each time a password is retrieved.

-Chris


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 11, 2008 11:14 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
ee99ee wrote:
Central database of passwords, it'll be a web application. I can either encrypt once, or each time for each yubikey if I need to. I just don't know how to do the encryption. How can I use the yubikey to authenticate and encrypt the passwords for each user to view? I specifically want to require the yubikey each time a password is retrieved.

-Chris


Did you consider using the unique Yubikey ID (the first 12 chars of an OTP) to construct the encryption key to encrypt the user's passwords?

If you are concerned someone uses the Yubikey personalization tool to clone the same Yubikey ID as the user's, the clone's OTP validation would fail, unless they have the AES secret key you have.

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 11, 2008 11:50 pm 
Offline

Joined: Tue Sep 02, 2008 5:11 am
Posts: 5
Good idea, but I want to use 256-bit CBC Rijndael, so I need a 32 byte key. I could pad the 12 characters from the Yubikey with static data, but that weakens the key doesn't it?

-Chris


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 12, 2008 5:05 am 
Offline

Joined: Tue Sep 02, 2008 5:11 am
Posts: 5
Well, here is another problem. If I encrypt each password with each yubikey, when someone adds a new password they will only be able to encrypt it with their own key, so no one else can decrypt the password. Maybe I can setup the following chain:

User Key -> Master Key -> Password

Whereas, the master key encrypts the password, and the users' keys are used to decrypt the master key. Although the users' keys will not add any more security, as the weakest point of the system will be the master key; by using individual user keys, this will allow for revocation and I plan to never expose the master key to the user.

-Chris


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 15, 2008 6:39 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
ee99ee wrote:
Well, here is another problem. If I encrypt each password with each yubikey, when someone adds a new password they will only be able to encrypt it with their own key, so no one else can decrypt the password. Maybe I can setup the following chain:

User Key -> Master Key -> Password

Whereas, the master key encrypts the password, and the users' keys are used to decrypt the master key. Although the users' keys will not add any more security, as the weakest point of the system will be the master key; by using individual user keys, this will allow for revocation and I plan to never expose the master key to the user.

-Chris


Sounds a good idea to me in your use case! I suppose the Master key sits only in the backend, and preferably inside a h/w crypto device and never leaves it. Access to it requires a Yubikey plus maybe a personal PIN for authentication. User name is not necessary since from the Yubikey ID you know which user owns it.

Then by enforcing each Yubikey's access rights to certain accounts, you should be able to achieve the personalized experience, and maybe account sharing: Say if S is a shared account below, instead of emailing account-S password to everyone in your team, you can set it up like this:

* User-a uses Yubikey-a can access accounts A, S

* User-b uses Yubikey-b can access accounts B, S

Take a look at MashLife.com, it is a public web-based service for the similar purpose.

Best

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 19, 2008 7:10 am 
Offline

Joined: Tue Sep 02, 2008 5:11 am
Posts: 5
Assuming the master key encrypts all passwords, how can I use the yubikey to unlock unique encrypted master keys? The users will never see the master keys, but the program will use the user's key to decrypt the master key, then the master key to decrypt the password.

The problem I'm having is figuring out how I can use the yubikey to create a private key stored on the server, and use the yubikey to unlock that. Then, I can unlock the master key and the password. Each time the user requests to decrypt a password, they should be prompted for their yubikey.

-Chris


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 22, 2008 8:31 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
ee99ee wrote:
Assuming the master key encrypts all passwords, how can I use the yubikey to unlock unique encrypted master keys? The users will never see the master keys, but the program will use the user's key to decrypt the master key, then the master key to decrypt the password.

The problem I'm having is figuring out how I can use the yubikey to create a private key stored on the server, and use the yubikey to unlock that. Then, I can unlock the master key and the password. Each time the user requests to decrypt a password, they should be prompted for their yubikey.

-Chris


I'm seeing some Yubikey customers using Yubikey Token ID (the first 12 fixed chars of the OTP) + a user PIN to derive a "private" master key to encrypt all this user's credentials.

The cost is that when the user changes PIN or Yubikey all his/her credentials need to be re-encrypted. But the cost should be minimal if one user only has say < 100 accounts stored in the database.

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group