Kommentare zu: One Yubikey to rule them all http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/ Arbeit und Alltag eines Software-Entwicklers aus Bremen Thu, 22 Jul 2010 05:58:07 +0000 hourly 1 http://wordpress.org/?v=3.0 Von: Dennis http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-33221 Dennis Thu, 11 Sep 2008 11:28:40 +0000 http://blog.dopefreshtight.de/?p=274#comment-33221 Hey Paul, you can find all the necessary links in <a href="http://blog.dopefreshtight.de/artikel/rails-openid-server-masquerade/">this article</a>. Dennis Hey Paul, you can find all the necessary links in this article.

Dennis

]]> Von: Paul Chen http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-33220 Paul Chen Thu, 11 Sep 2008 00:45:11 +0000 http://blog.dopefreshtight.de/?p=274#comment-33220 You mentioned about your Ruby OpenID server, where is that? Can I try it out? I'm looking for such a thing in Ruby. Thanks Paul @ Yubico You mentioned about your Ruby OpenID server, where is that? Can I try it out? I’m looking for such a thing in Ruby.

Thanks

Paul @ Yubico

]]> Von: Boris http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32077 Boris Tue, 27 May 2008 15:49:17 +0000 http://blog.dopefreshtight.de/?p=274#comment-32077 I answer myself: http://yubico.com/faq/index/ -- Search for "OATH-Compliant" I answer myself: http://yubico.com/faq/index/ — Search for “OATH-Compliant”

]]> Von: Boris http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32076 Boris Tue, 27 May 2008 15:35:00 +0000 http://blog.dopefreshtight.de/?p=274#comment-32076 Well, it would be interesting to know if the basic technology behind this was RFC 4226 (or even its successor http://www.ietf.org/internet-drafts/draft-mraihi-totp-timebased-00.txt, for more information see http://www.openauthentication.org/specifications) We thought about implementing that one about a year or so ago, but still think, that it's a bad idea that every provider comes with a seperate OTP device. OTOH, Encrypting the yubikey DB is a hard one Well, it would be interesting to know if the basic technology behind this was RFC 4226 (or even its successor http://www.ietf.org/internet-drafts/draft-mraihi-totp-timebased-00.txt, for more information see http://www.openauthentication.org/specifications)

We thought about implementing that one about a year or so ago, but still think, that it’s a bad idea that every provider comes with a seperate OTP device.

OTOH, Encrypting the yubikey DB is a hard one

]]> Von: links for 2008-05-27 « Breyten’s Dev Blog http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32065 links for 2008-05-27 « Breyten’s Dev Blog Tue, 27 May 2008 11:31:07 +0000 http://blog.dopefreshtight.de/?p=274#comment-32065 [...] One Yubikey to rule them all (tags: off-topic masquerade openid security yubico yubikey) [...] [...] One Yubikey to rule them all (tags: off-topic masquerade openid security yubico yubikey) [...]

]]> Von: stffn http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32064 stffn Tue, 27 May 2008 10:48:42 +0000 http://blog.dopefreshtight.de/?p=274#comment-32064 Ah, found it: http://www.yubico.com/files/YubiKey_Security_Review.pdf "The server stores the encryption keys and passwords for all users, and is thus a single point of failure. A successful attack on the server, e.g., a physical server attack or cracker attack, will compromise the entire system. The attacker will be able to masquerade as any user. The recovery procedure from this attack includes replacing all user devices (or possibly do a software upgrade of them)." Not so nice. So, the key database needs to be seriously protected. Higher stake in case of a server attack with the keys in clear text in the database. Reduces the attractiveness of running such a service on your own. Man-in-the-Middle and key logger attacks stay dangerous with yubikey as well. Still, nice method of circumventing some social engineering attacks with a low-cost token. I'm eager to see if yubikey will spread. Ah, found it:
http://www.yubico.com/files/YubiKey_Security_Review.pdf

“The server stores the encryption keys and passwords for all users, and is thus a single point of failure. A successful attack on the server, e.g., a physical server attack or cracker attack, will compromise the entire system. The attacker will be able to masquerade as any user. The recovery procedure from
this attack includes replacing all user devices (or possibly do a software upgrade of them).”

Not so nice. So, the key database needs to be seriously protected. Higher stake in case of a server attack with the keys in clear text in the database. Reduces the attractiveness of running such a service on your own.

Man-in-the-Middle and key logger attacks stay dangerous with yubikey as well. Still, nice method of circumventing some social engineering attacks with a low-cost token. I’m eager to see if yubikey will spread.

]]> Von: stffn http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32062 stffn Tue, 27 May 2008 10:32:04 +0000 http://blog.dopefreshtight.de/?p=274#comment-32062 http://yubico.com/technology/description/ says "Together, these fields are encrypted using a 128-bit key." I haven't found a word yet on where the mentioned 128-bit key comes from. http://yubico.com/technology/description/ says “Together, these fields are encrypted using a 128-bit key.” I haven’t found a word yet on where the mentioned 128-bit key comes from.

]]> Von: Kick Willemse http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32061 Kick Willemse Tue, 27 May 2008 10:27:05 +0000 http://blog.dopefreshtight.de/?p=274#comment-32061 Hi, nice post with good details. I think I check on this Yubikey myself. I have 1 question on the way you check wether the login is a Yubikey or not looking at the length of the password. Did you think about checking the username entered within the application and see what authentication mechanism is related. In the end the RP's still need to link their application uid to the authentication ID. In general this mechanism could help the RP's to have just one login screen asking for the username. (In stead of having a login for all different authentication mechanisms.) Hi, nice post with good details. I think I check on this Yubikey myself.

I have 1 question on the way you check wether the login is a Yubikey or not looking at the length of the password.

Did you think about checking the username entered within the application and see what authentication mechanism is related.

In the end the RP’s still need to link their application uid to the authentication ID. In general this mechanism could help the RP’s to have just one login screen asking for the username. (In stead of having a login for all different authentication mechanisms.)

]]> Von: stffn http://dennisbloete.de/blog/one-yubikey-to-rule-them-all/comment-page-1/#comment-32060 stffn Tue, 27 May 2008 10:25:59 +0000 http://blog.dopefreshtight.de/?p=274#comment-32060 Any serious analysis out there about how the security really works? From the yubico's website I cannot deduct where the AES key for encrypting the OTP base data comes from. Is it a pre-shared key? Does the service provider stores those of each yubikey token? Any serious analysis out there about how the security really works? From the yubico’s website I cannot deduct where the AES key for encrypting the OTP base data comes from. Is it a pre-shared key? Does the service provider stores those of each yubikey token?

]]>