WIXLIB

YubiKeyTechnology briefingLysator UppLYSning 2010-04-20Simon Josefsson simon@yubico.com

yubicoAbout me Independent consultant as SimonJosefsson Datakonsult ABProlific free software and GNU contributor Standardization work in the IETF GnuTLS, LibIDN, GNU SASL, Shishi, Libtasn1,Emacs, .SASL, Kerberos, DNS, Member of Fossgruppen

yubicoAbout Yubico Started in 2007 in Stockholm Founder and CEO is Stina Ehrensvärd Presence today in Sweden, UK and US Team of 10 people Core invention is the YubiKey Online web shop and (in)direct sales Free software friendly

yubico5000 customers, 70 countries

yubico

yubicoYubiKey Quick Facts The YubiKey generates one-time passwordsfor identification and authenticationpurposesTwo factor, One Touch, Zero drivers!No batteries, no display, no mechanicalbuttons Unique AES key in every YubiKey YubiKey configuration is customizable

yubicoYubiKey Product History1. RFID card with PIN card reader client software2. USB-key with PIN3. USB-key with 1 button

yubicoTypical UsagePasswordYubiKeyIDENTITY***************ONE TIME unccccccccehllcrnhttrgbgikrcctihnlhclrvhkldcdj

yubicoDEMO1.Paste YubiKey into text editor2.Validate OTP against online demo

yubico

yubicoYubiKey OTP Format One YubiKey OTP consists of two parts: 0-16 modhex characters with identity 32 modhex characters with OTP dataThe two parts are concatenated: Yubico ships 12 character identities ing PASSWORDOTP concernIdentity string is configurable

yubicoModHex USB keyboards returns scan codes, notcharacters! Keyboard layout matters.Modhex encoding is hex encoding withanother alphabet cbdefghijklnrtuv (modhex) 0123456789abcdef (hex)For examplehex string 00 is cc in modhex Modhex ekhgjhbctrgn is 39658610dc5b hexGoal with alphabet is keyboard layoutindependent character input

yubicoEncrypted OTP data Internal format of the encrypted OTP: 6 byte: internal identity string 2 byte: session counter (non-volatile) 2 byte: 8Hz timestamp (low part) 1 byte: 8Hz timestamp (high part) 1 byte: session use (volatile) 2 byte: non-predictable data “nonce” 2 byte: CRC-16 of all fields with this field 0Final OTP is AES-ECB encrypted plaintext

yubicoCounters and time The YubiKey OTP has two monotonouslyincrementing counters: One that is stored in long-term memory: incrementedby one on first use after each powerupOne in volatile memory: incremented by one on everyuse during a powerup-cycleThe YubiKey OTP contains time information: However it is not wall-clock time but instead time sincelast power-up (there is no battery)Requires two OTPs from the same powerup-cycle todetect time-delaying phishing

yubicoOATH HOTP Open AuTHentication HMAC-based One-Time Password (HOTP) http://www.openauthentication.org/RFC 4226Enables one-time-password systems withtokens from multiple vendorsThe YubiKey can be programmed togenerated OATH HOTP codes Version 2.x only – since December 2009

yubicoStatic password Static password mode Generate the same strong password on everyYubiKey touchVulnerable to keyloggers!Can provide some security advantagescompared to human-recalled passwordsUseful when evaluating user-acceptanceof YubiKey – no infrastructure changes

yubicoRFID YubiKey YubiKey combined with RFID chipProvides security in both digital andphysical world

yubicoAutomated Logistics

yubicoYubico Provides YubiKey – different variants Personalization software Low-level OTP parsing libraries Validation protocol specification Clients to validation server Online Validation server Hosted demo servers

yubicoYubico Provides (contd) Yubico Forum for supporthttp://forum.yubico.com/ Yubico Wiki for knowledge http://wiki.yubico.com/ PAM module Documentation describing how FreeRadius isused to provide a Radius server OpenID server - http://openid.yubico.com/ YubiKey plugin to simpleSAMLphp

yubicoPersonalization Software http://yubico.com/developers/personalization/ Alternatives:1.Windows Personalization Tool2.Windows COM/ActiveX component3.Free software portable library tool–C code, BSD license – packaged by Debian tion/4.Third-party Mac graphical interface

yubicoLock code YubiKeys can be protected with a lockcodePrevents unauthorized re-programming ofthe YubiKeyThe AES key can never be read out fromthe deviceRecommendation: If you personalizeYubiKeys yourself, set a random lockingcode on each device

yubicoLow-level OTP parsing http://code.google.com/p/yubico-c/ Core library written in C BSD license – included in Debian, Fedora etc Functionality ported to Java, PHP, Perl, Python, Low-level, example interfaces:extern void yubikey parse (const uint8 t token[YUBIKEY BLOCK SIZE],const uint8 t key[YUBIKEY KEY SIZE], yubikey token t out);extern void yubikey modhex encode (char *dst, const char *src,size t srcsize);extern int yubikey modhex p (const char *str);extern uint16 t yubikey crc16 (const uint8 t * buf, size t buf size);extern void yubikey aes decrypt (uint8 t * state, const uint8 t * key);.

yubicoDEMO1.Reprogram a YubiKey with 'ykpersonalize'2.Debug generated OTP using 'ykdebug'

yubicoValidation Server Protocol Protocol specification online: http://yubico.com/developers/api/Concept of client identityOptional HMAC signing ofrequests/responseSimple Query and response (v1): http://api.yubico.com/wsapi/verify?id 42&otp vvvvvvcurikvhjcvnlnbecbkubjvuittbifhndhnh hhbVQZYvkEWUdhYjx1hjB/yeW/Y t 2008-01-11T03:51:21Z0079status OK

yubicoClient ID & Key Generate your own client identity & HMACkey online: http://yubico.com/developers/api/You will be allocated one integer and anewly generated random base64 stringUsed by client software to sign requestsand validate responses

yubicoDEMO1.Verify an OTP against Yubico Validation Serverusing command line tools

yubico

yubicoValidation Protocol v2.0 Supports distributed servers Each client query in parallel all servers Servers all talk to each other Clients waits for positive validation While waiting, will reject OTP if anynegative response is receivedSome servers may respond “replayedrequest” if they became aware of the querythrough another validation server first

yubicoValidation server clients C library, PHP module, many others. PHP code easy to install and use wget http://php-yubico.googlecode.com/files/Auth Yubico-1.9.tgzpear install Auth Yubico-1.9.tgz

yubicoValidation Server YK-VAL: YubiKey Validation server Free L responsible for verifying YubiKey OTPsfollowing Yubico's web service API protocolYK-VAL requests AES decryption from YK-KSMYK-KSM: YubiKey Key Storage Module Free r-php/YK-KSM responsible for storing AES keys anddecrypting incoming OTP

yubicoScalability Internal redundancy: YK-VAL is configuredto query any number of YK-KSM machinesand will use the first valid answerThe YK-KSM can be cloned easily: No synchronization of data necessary beyondloading of AES keysThe YK-VAL can be replicated Requires loose synchronization of OTPcounter fields between YK-VAL instances

Yubico Forum

yubicoPAM Pluggable Authentication Module (PAM)User authentication and authorizationunder GNU/Linux & SolarisUsed in other environments to achievemodularity, e.g., RadiusChallenge-Response approach http://code.google.com/p/yubico-pam/ C code, BSD/GPL, Debian packagesUseful for SSH and Desktop login

yubicoOpenID Decentralized web-based authentication system Serious phishing security issues! One-time passwords are cost effective solution SMS passcodes, X.509 https other approachesThree parties:1.Identity Provider (IdP)2.Relying Partner (RP)3.User – identified by an OpenID URL

yubicoYubico OpenID server Based on JanRain's OpenID library andtheir example OpenID Server Minimally modified to support YubiKey http://code.google.com/p/yubico-openid-server/ Running on http://openid.yubico.com/ as freeservice – all existing YubiKeys have an OpenID URLautomaticallyEasy to use with your own URL, just add two HEADMETA tags to your HTML pageNo vendor lock-in!

Demo!

yubicoSAML Security Assertion Markup LanguageFormat to exchange authentication andauthorization information betweensecurity domainsSpecified by OASIS: www.oasis-open.orgPrimary use case is web browser sign onbut protocol is transport agnostic

yubicoYubico SAML Server simpleSAMLphp (SSP) PHP based SAMLserver with YubiKey pluginSun/Oracle's OpenSSO server withYubiKey pluginBoth are free software, commercialalternatives existsYubiKey hosts SSP ashttp://saml.yubico.com/Free service for all YubiKey owners

yubicotrust the net

yubico Counters and time The YubiKey OTP has two monotonously incrementing counters: One that is stored in long-term memory: incremented by one on first use after each powerup One in volatile memory: incremented by one on every use during a powerup-cycle The YubiKey OTP contains time information: However it is not wall-clock time but instead time since