Transcription
YubiKeyTechnology briefingLysator UppLYSning 2010-04-20Simon Josefsson simon@yubico.com
yubicoAbout me Independent consultant as SimonJosefsson Datakonsult ABProlific free software and GNU contributor Standardization work in the IETF GnuTLS, LibIDN, GNU SASL, Shishi, Libtasn1,Emacs, .SASL, Kerberos, DNS, Member of Fossgruppen
yubicoAbout Yubico Started in 2007 in Stockholm Founder and CEO is Stina Ehrensvärd Presence today in Sweden, UK and US Team of 10 people Core invention is the YubiKey Online web shop and (in)direct sales Free software friendly
yubico5000 customers, 70 countries
yubico
yubicoYubiKey Quick Facts The YubiKey generates one-time passwordsfor identification and authenticationpurposesTwo factor, One Touch, Zero drivers!No batteries, no display, no mechanicalbuttons Unique AES key in every YubiKey YubiKey configuration is customizable
yubicoYubiKey Product History1. RFID card with PIN card reader client software2. USB-key with PIN3. USB-key with 1 button
yubicoTypical UsagePasswordYubiKeyIDENTITY***************ONE TIME unccccccccehllcrnhttrgbgikrcctihnlhclrvhkldcdj
yubicoDEMO1.Paste YubiKey into text editor2.Validate OTP against online demo
yubico
yubicoYubiKey OTP Format One YubiKey OTP consists of two parts: 0-16 modhex characters with identity 32 modhex characters with OTP dataThe two parts are concatenated: Yubico ships 12 character identities ing PASSWORDOTP concernIdentity string is configurable
yubicoModHex USB keyboards returns scan codes, notcharacters! Keyboard layout matters.Modhex encoding is hex encoding withanother alphabet cbdefghijklnrtuv (modhex) 0123456789abcdef (hex)For examplehex string 00 is cc in modhex Modhex ekhgjhbctrgn is 39658610dc5b hexGoal with alphabet is keyboard layoutindependent character input
yubicoEncrypted OTP data Internal format of the encrypted OTP: 6 byte: internal identity string 2 byte: session counter (non-volatile) 2 byte: 8Hz timestamp (low part) 1 byte: 8Hz timestamp (high part) 1 byte: session use (volatile) 2 byte: non-predictable data “nonce” 2 byte: CRC-16 of all fields with this field 0Final OTP is AES-ECB encrypted plaintext
yubicoCounters and time The YubiKey OTP has two monotonouslyincrementing counters: One that is stored in long-term memory: incrementedby one on first use after each powerupOne in volatile memory: incremented by one on everyuse during a powerup-cycleThe YubiKey OTP contains time information: However it is not wall-clock time but instead time sincelast power-up (there is no battery)Requires two OTPs from the same powerup-cycle todetect time-delaying phishing
yubicoOATH HOTP Open AuTHentication HMAC-based One-Time Password (HOTP) http://www.openauthentication.org/RFC 4226Enables one-time-password systems withtokens from multiple vendorsThe YubiKey can be programmed togenerated OATH HOTP codes Version 2.x only – since December 2009
yubicoStatic password Static password mode Generate the same strong password on everyYubiKey touchVulnerable to keyloggers!Can provide some security advantagescompared to human-recalled passwordsUseful when evaluating user-acceptanceof YubiKey – no infrastructure changes
yubicoRFID YubiKey YubiKey combined with RFID chipProvides security in both digital andphysical world
yubicoAutomated Logistics
yubicoYubico Provides YubiKey – different variants Personalization software Low-level OTP parsing libraries Validation protocol specification Clients to validation server Online Validation server Hosted demo servers
yubicoYubico Provides (contd) Yubico Forum for supporthttp://forum.yubico.com/ Yubico Wiki for knowledge http://wiki.yubico.com/ PAM module Documentation describing how FreeRadius isused to provide a Radius server OpenID server - http://openid.yubico.com/ YubiKey plugin to simpleSAMLphp
yubicoPersonalization Software http://yubico.com/developers/personalization/ Alternatives:1.Windows Personalization Tool2.Windows COM/ActiveX component3.Free software portable library tool–C code, BSD license – packaged by Debian tion/4.Third-party Mac graphical interface
yubicoLock code YubiKeys can be protected with a lockcodePrevents unauthorized re-programming ofthe YubiKeyThe AES key can never be read out fromthe deviceRecommendation: If you personalizeYubiKeys yourself, set a random lockingcode on each device
yubicoLow-level OTP parsing http://code.google.com/p/yubico-c/ Core library written in C BSD license – included in Debian, Fedora etc Functionality ported to Java, PHP, Perl, Python, Low-level, example interfaces:extern void yubikey parse (const uint8 t token[YUBIKEY BLOCK SIZE],const uint8 t key[YUBIKEY KEY SIZE], yubikey token t out);extern void yubikey modhex encode (char *dst, const char *src,size t srcsize);extern int yubikey modhex p (const char *str);extern uint16 t yubikey crc16 (const uint8 t * buf, size t buf size);extern void yubikey aes decrypt (uint8 t * state, const uint8 t * key);.
yubicoDEMO1.Reprogram a YubiKey with 'ykpersonalize'2.Debug generated OTP using 'ykdebug'
yubicoValidation Server Protocol Protocol specification online: http://yubico.com/developers/api/Concept of client identityOptional HMAC signing ofrequests/responseSimple Query and response (v1): http://api.yubico.com/wsapi/verify?id 42&otp vvvvvvcurikvhjcvnlnbecbkubjvuittbifhndhnh hhbVQZYvkEWUdhYjx1hjB/yeW/Y t 2008-01-11T03:51:21Z0079status OK
yubicoClient ID & Key Generate your own client identity & HMACkey online: http://yubico.com/developers/api/You will be allocated one integer and anewly generated random base64 stringUsed by client software to sign requestsand validate responses
yubicoDEMO1.Verify an OTP against Yubico Validation Serverusing command line tools
yubico
yubicoValidation Protocol v2.0 Supports distributed servers Each client query in parallel all servers Servers all talk to each other Clients waits for positive validation While waiting, will reject OTP if anynegative response is receivedSome servers may respond “replayedrequest” if they became aware of the querythrough another validation server first
yubicoValidation server clients C library, PHP module, many others. PHP code easy to install and use wget http://php-yubico.googlecode.com/files/Auth Yubico-1.9.tgzpear install Auth Yubico-1.9.tgz
yubicoValidation Server YK-VAL: YubiKey Validation server Free L responsible for verifying YubiKey OTPsfollowing Yubico's web service API protocolYK-VAL requests AES decryption from YK-KSMYK-KSM: YubiKey Key Storage Module Free r-php/YK-KSM responsible for storing AES keys anddecrypting incoming OTP
yubicoScalability Internal redundancy: YK-VAL is configuredto query any number of YK-KSM machinesand will use the first valid answerThe YK-KSM can be cloned easily: No synchronization of data necessary beyondloading of AES keysThe YK-VAL can be replicated Requires loose synchronization of OTPcounter fields between YK-VAL instances
Yubico Forum
yubicoPAM Pluggable Authentication Module (PAM)User authentication and authorizationunder GNU/Linux & SolarisUsed in other environments to achievemodularity, e.g., RadiusChallenge-Response approach http://code.google.com/p/yubico-pam/ C code, BSD/GPL, Debian packagesUseful for SSH and Desktop login
yubicoOpenID Decentralized web-based authentication system Serious phishing security issues! One-time passwords are cost effective solution SMS passcodes, X.509 https other approachesThree parties:1.Identity Provider (IdP)2.Relying Partner (RP)3.User – identified by an OpenID URL
yubicoYubico OpenID server Based on JanRain's OpenID library andtheir example OpenID Server Minimally modified to support YubiKey http://code.google.com/p/yubico-openid-server/ Running on http://openid.yubico.com/ as freeservice – all existing YubiKeys have an OpenID URLautomaticallyEasy to use with your own URL, just add two HEADMETA tags to your HTML pageNo vendor lock-in!
Demo!
yubicoSAML Security Assertion Markup LanguageFormat to exchange authentication andauthorization information betweensecurity domainsSpecified by OASIS: www.oasis-open.orgPrimary use case is web browser sign onbut protocol is transport agnostic
yubicoYubico SAML Server simpleSAMLphp (SSP) PHP based SAMLserver with YubiKey pluginSun/Oracle's OpenSSO server withYubiKey pluginBoth are free software, commercialalternatives existsYubiKey hosts SSP ashttp://saml.yubico.com/Free service for all YubiKey owners
yubicotrust the net
yubico Counters and time The YubiKey OTP has two monotonously incrementing counters: One that is stored in long-term memory: incremented by one on first use after each powerup One in volatile memory: incremented by one on every use during a powerup-cycle The YubiKey OTP contains time information: However it is not wall-clock time but instead time since