Transcription
YubiKeyYubiHSMPasswords 11Simon Josefsson
yubicoAbout Yubico Started in 2007 in Stockholm Founder and CEO is Stina Ehrensvärd Presence today in Sweden, UK and US Team of 15 people Core invention is the YubiKey Online web shop and (in)direct sales Web shop sales to anyone - 25 per unit Free software friendly
yubicoYubiKey Quick Facts The YubiKey generates one-time passwordsfor identification and authenticationTwo factor, One Touch, Zero drivers!No batteries, no display, no mechanicalbuttons Unique AES key in every YubiKey YubiKey configuration is customizable
yubicoDEMO1.Insert YubiKey2.Launch text editor3.Touch YubiKey
yubico
yubicoModHex USB keyboards returns scan codes, notcharacters! Keyboard layout matters.Modhex encoding is hex encoding withanother alphabet cbdefghijklnrtuv (modhex) 0123456789abcdef (hex)For examplehex string 00 is cc in modhex Modhex ekhgjhbctrgn is 39658610dc5b hexGoal with alphabet is keyboard layoutindependent character input
yubicoYubiKey OTP Format One YubiKey OTP consists of two parts: ekhgjhbctrgnkutgvrvkinllgnkejtlgidhbubeuebdbYubico ships 12 character identities 32 modhex characters with OTP dataThe two parts are concatenated: Variable length 0-16 modhex characters foridentitySplitting PASSWORDOTP concernIdentity string is configurable
yubicoEncrypted OTP data Internal format of the encrypted OTP: 6 byte: internal identity string 2 byte: session counter (non-volatile) 2 byte: 8Hz timestamp (low part) 1 byte: 8Hz timestamp (high part) 1 byte: session use (volatile) 2 byte: non-predictable data “nonce” 2 byte: CRC-16 of all fields with this field 0Final OTP is AES-ECB encrypted plaintext
yubicoCounters and time The YubiKey OTP has two monotonouslyincrementing counters: One that is stored in long-term memory: incrementedby one on first use after each powerupOne in volatile memory: incremented by one on everyuse during a powerup-cycleThe YubiKey OTP contains time information: However it is not wall-clock time but instead time sincelast power-up (because there is no battery)Requires two OTPs from the same powerup-cycle todetect time-delaying phishing
yubicoStatic password Static password mode Generate the same strong password on everyYubiKey touchVulnerable to keyloggers!Can provide some security advantagescompared to human-recalled passwordsUseful when evaluating user-acceptanceof YubiKey – no server-side changes
yubicoOATH HOTP Open AuTHentication HMAC-based One-Time Password (HOTP) http://www.openauthentication.org/RFC 4226. Code is 6-8 digits, e.g. “673821”Enables one-time-password systems withtokens from multiple vendorsThe YubiKey can be programmed togenerate OATH HOTP codes Version 2.x only – since December 2009
yubicoChallenge Response Combined with client-software theYubiKey supports challenge-responseAlgorithm is HMAC-SHA1The YubiKey can sign data authorized byuser by touchUse-case is software licensemanagement, improved security, pay-TVboxes etcYubiKey version 2.2 and later only
yubicoRFID YubiKey YubiKey combined with RFID chipProvides security in both digital andphysical world
yubicoAutomated Logistics
yubicoYubico Provides YubiKey – different variants Personalization software Low-level OTP parsing libraries Validation protocol specification Clients to validation server Online Validation server Hosted demo servers
yubicoYubico Provides (contd) Yubico Forum for supporthttp://forum.yubico.com/ Yubico Wiki for knowledge http://wiki.yubico.com/ PAM module Documentation describing how FreeRadius isused to provide a Radius server OpenID server - http://openid.yubico.com/ YubiKey plugin to simpleSAMLphp
yubicoPersonalization Software http://yubico.com/developers/personalization/ Alternatives:1.Windows Personalization Tool2.Windows COM/ActiveX component3.Free software portable library tool–C code, BSD license – packaged by Debian tion/4.Third-party Mac graphical interface
yubicoLock code YubiKeys can be protected with a lockcodePrevents unauthorized re-programming ofthe YubiKeyThe AES key can never be read out fromthe deviceRecommendation: If you personalizeYubiKeys yourself, set a random lockingcode on each device
yubicoLow-level OTP parsing http://code.google.com/p/yubico-c/ Core library written in C BSD license – included in Debian, Fedora etc Functionality ported to Java, PHP, Perl, Python, Low-level, example interfaces:extern void yubikey parse (const uint8 t token[YUBIKEY BLOCK SIZE],const uint8 t key[YUBIKEY KEY SIZE], yubikey token t out);extern void yubikey modhex encode (char *dst, const char *src,size t srcsize);extern int yubikey modhex p (const char *str);extern uint16 t yubikey crc16 (const uint8 t * buf, size t buf size);extern void yubikey aes decrypt (uint8 t * state, const uint8 t * key);.
yubicoDEMO1.Reprogram a YubiKey with 'ykpersonalize'2.Debug generated OTP using 'ykdebug'
yubicoValidation Server Protocol Protocol specification online: http://yubico.com/developers/api/Concept of client identityOptional HMAC signing ofrequests/responseSimple Query and response (v1): http://api.yubico.com/wsapi/verify?id 42&otp vvvvvvcurikvhjcvnlnbecbkubjvuittbifhndhnh hhbVQZYvkEWUdhYjx1hjB/yeW/Y t 2008-01-11T03:51:21Z0079status OK
yubicoClient ID & Key Generate your own client identity & HMACkey online: http://yubico.com/developers/api/You will be allocated one integer and anewly generated random base64 stringUsed by client software to sign requestsand validate responses
yubicoDEMO1.Validate OTP against online demo2.Verify an OTP against Yubico Validation Serverusing command line tools
yubico
yubicoValidation Protocol v2.0 Supports distributed servers Each client query in parallel all servers Servers all talk to each other Clients waits for positive validation While waiting, will reject OTP if anynegative response is receivedSome servers may respond “replayedrequest” if they became aware of the querythrough another validation server first
yubicoValidation server clients C library, PHP module, many others. PHP code easy to install and use wget http://php-yubico.googlecode.com/files/Auth Yubico-1.9.tgzpear install Auth Yubico-1.9.tgz
yubicoValidation Server YK-VAL: YubiKey Validation server Free L responsible for verifying YubiKey OTPsfollowing Yubico's web service API protocolYK-VAL requests AES decryption from YK-KSMYK-KSM: YubiKey Key Storage Module Free r-php/YK-KSM responsible for storing AES keys anddecrypting incoming OTP
yubicoScalability Internal redundancy: YK-VAL is configuredto query any number of YK-KSM machinesand will use the first valid answerThe YK-KSM can be cloned easily: No synchronization of data necessary beyondloading of AES keysThe YK-VAL can be replicated Requires loose synchronization of OTPcounter fields between YK-VAL instances
Yubico Forum
yubicoPAM Pluggable Authentication Module (PAM)User authentication and authorizationunder GNU/Linux & SolarisUsed in other environments to achievemodularity, e.g., RadiusChallenge-Response approach http://code.google.com/p/yubico-pam/ C code, BSD/GPL, Debian packagesUseful for SSH and Desktop login
yubicoOpenID Decentralized web-based authentication system Serious phishing security issues! One-time passwords are cost effective solution SMS passcodes, X.509 https other approachesThree parties:1.Identity Provider (IdP)2.Relying Partner (RP)3.User – identified by an OpenID URL
yubicoYubico OpenID server Based on JanRain's OpenID library andtheir example OpenID Server Minimally modified to support YubiKey http://code.google.com/p/yubico-openid-server/ Running on http://openid.yubico.com/ as freeservice – all existing YubiKeys have an OpenID URLautomaticallyEasy to use with your own URL, just add two HEADMETA tags to your HTML pageNo vendor lock-in!
yubicoSAML Security Assertion Markup LanguageFormat to exchange authentication andauthorization information betweensecurity domainsSpecified by OASIS: www.oasis-open.orgPrimary use case is web browser sign onbut protocol is transport agnostic
yubicoYubico SAML Server simpleSAMLphp (SSP) PHP based SAMLserver with YubiKey pluginSun/Oracle's OpenSSO server withYubiKey pluginBoth are free software, commercialalternatives existsYubiKey hosts SSP ashttp://saml.yubico.com/Free service for all YubiKey owners
yubicoYubiHSM
yubicoYubiHSM Quick Facts Currently in beta testing with customersSmall USB device (0.2W) acting like a serialdevice – GNU/MAC/Windows-friendlyPriced at 500 with no maintenance feeAES encrypt/decrypt/decrypt-compare usingkey in YubiHSMHMAC-SHA1 with key in YubiHSM (HOTP/TOTP)AES-based NIST SP800-90 CTR-DRBG randomnumber generator
yubicoMore facts Holds 40 AES/HMAC keys indexed by a 32-bit keyhandleFairly small set of interface functions Reference Python code available on GitHub YSM NULL, YSM SYSTEM INFO QUERY, YSM ECHO, YSM KEY STORAGE UNLOCK, YSM BUFFER LOAD,YSM BUFFER RANDOM LOAD, YSM NONCE GET, YSM AEAD GENERATE, YSM RANDOM AEAD GENERATE,YSM BUFFER AEAD GENERATE, YSM AEAD DECRYPT CMP, YSM AEAD YUBIKEY OTP DECODE,YSM DB YUBIKEY AEAD STORE, YSM DB YUBIKEY OTP VALIDATE, YSM TEMP KEY LOAD,YSM AES ECB BLOCK ENCRYPT, YSM AES ECB BLOCK DECRYPT, YSM AES ECB BLOCK DECRYPT CMP,YSM HMAC SHA1 GENERATE, YSM RANDOM GENERATE, YSM RANDOM RESEEDThird-party java code being publishedDocumented interface, please write your own!
yubicoBackground Yubico operates validation server for a fleetof YubiKey'sWe needed to secure millions of AES keysstored on servers world-wideTraditional HSMs are expensive, cannot storemillions of keys and only offerencrypt/decrypt interfaces Attackers getting root would get our AES keys!We needed an inexpensive solution andinterfaces for native YubiKey OTP parsing anddecrypt-and-compare
yubicoWider usage Threat model: someone roots your server Physical attacks (stealing the machine) isoutside of our threat model – we use thetraditional security industry to mitigate that.Goal: Minimize what the attacker canachieve by becoming rootHow #1: Make the data stored on theserver useless to an attacker
yubicoYubiHSM Indirect Mode Based on AES CCM - RFC 3610 Early AEAD cipher mode, easy to implementEnables support of millions of “virtual”keys protected by YubiHSMUsed here to do “key wrap”, i.e., encryptan AES key or a (hashed) passwordEncrypted AEAD-blob stored on serverOn request, YubiHSM takes the AEADprotected key and either an OTP or(hashed) password for comparison
yubicoValidating a password Let's say you are building a server tovalidate passwords for millions of usersPerform a PBKDF2 iterated hash as earlyas possible, using a per-user salt/countQuery a server with a YubiHSM with input(AEAD-blob, potential-PBKDF2)Server uses AEAD DECRYPT CMP andreturns yes/noNo data stored on server is useful for theattacker!
yubicoCaveats Key management of the YubiHSM keys becomescriticalAuthorization of AEAD generation and storage isimportantBest practice is to generate a random key withthe same key handle and configure twoYubiHSMs in pair at the same time on trustedmachineOne YubiHSM will have permissions to generateAEADs (the set-password machine) and anotherto validate passwords using the AEADs (thevalidate-password machine)
Thank you for listening!Questions?
yubicotrust the net
yubico Counters and time The YubiKey OTP has two monotonously incrementing counters: One that is stored in long-term memory: incremented by one on first use after each powerup One in volatile memory: incremented by one on every use during a powerup-cycle The YubiKey OTP contains time information: However it is not wall-clock time but instead time since
![Smart card configuration for Citrix Environments-v2[1]-jp](/img/36/smart-card-configuration-for-citrix-environments.jpg)
