The YubiKeyDavid Page

Director The OTOBAS Group Pty. Ltd.

BarCamp Canberra 28 March 2009

ContentBackground to AuthenticationOpenID – centralised identity managementIdentity TheftMulti-factor AuthenticationThe YubikeyUseful Links

Background to AuthenticationWhat is Authentication?

From the Greek, meaning real or genuinethe act of establishing or confirming something

(or someone) as authentic, that is, that claims made by or about the subject are true

Why Authenticate?Restrict access to resources (log on to laptop)Identify user contributions (comments on a

blog)Non repudiation (e.g. tax lodgements)

Background to AuthenticationAuthentication Factors

the ownership factors: Something the user has

the knowledge factors: Something the user knows

the inherence factors: Something the user is or does E.g. Fingerprint, retina voice

Background to AuthenticationHow to Authenticate

Single factor E.g. user id and password

Multi factor E.g. Bank EFTPOS card and pin

Captchas – authenticating that you are human!

Background to AuthenticationEstablishing Credentials

Simple registration – e.g. Google, TrueCryptSelf certification – e.g. web site certificate for

SSLTrust chains – e.g. PGP certificates3rd party certification – e.g. VeriSign

ProblemsProblem #1: managing all the types of

authenticationE.g. multiple PINs, multiple user ids and

passwordsProblem: #2: identify theft

E.g. keystroke loggers, phishing attacks, dumpster diving, lost laptop

OpenIDhttp://openid.net/Single point of authority for user credentials

A bit like PayPal is for your credit card/bank details

Already supported by a range of major providersE.g. Yahoo, Flickr, Blogger, Google, Wordpress,

LiveJournal, AOL, VeriSignYou can also set up your own OpenID ServerDemo – VeriSign Personal Identity PageSolves the first problem (multiple accounts), but

not the second (identity theft)

Identity TheftHas become an increasing problem

Physical access compromised (e.g. lost laptop)Brute force (eg. dictionary) attacksCredit card details poorly protected by 3rd

partiesKeystroke loggers in malware“Clickjacking”Social engineering

Higher security access requires stronger authentication – e.g. multi-factor

Multi-factor AuthenticationTypically two-factor is “something you have”

and “something you know”, e.g. EFTPOS card and PIN

But need to consider replay attacks, e.g. credit card and security code is NOT true two-factorRSA, SecurID one-time password token (e.g.

PayPal)Mobile phone SMS codesBut can be difficult/expensive to implement

and integrate

Multi-factor AuthenticationReally secure access (e.g. physical access to a data

centre), may warrant three-factor authenticationSomething you have, something you know, and

something you are, e.g. userid, password and fingerprint

Biometric authentication is increasing in popularityFingerprint can serve both as WHO you are as well

as WHAT you areCost of implementation coming down, integrated

devices becoming more commonBut not available everywhere as yet, particularly in

legacy devices

Enter the YubiKeyMade by a Swedish company –

http://yubico.comActs like a USB keyboard - supports most

computersGenerates a fixed userid and a one-time

passwordCan also generate a fixed long/complex

passwordVery small form factor – easy/cheap to deployYubico can authenticate you via OpenID or

via free open source web service clientsOpen source authentication servers are

provided freeJava, C, PHP, Python, Perl, PAM (Linux)

YubiKey – How it WorksYubiKeys contain a 128-bit AES key, initially set by

YubicoAES is a symmetric cypher, not public/private keyYou can generate your own AES key

When the button is pressed, the YubiKey generates a 44 character string consisting of:A fixed userid (12 characters)A one-time password (32 characters)

300,000,000,000,000,000,000,000,000,000,000,000,000 (3*10**38) combinations

Can also be configured to navigate to a specific web site and authenticate with one button press (Windows only at present)

YubiKey – How it WorksUser id (12 characters):

vvuelcnnljrdOne-Time Password (32 characters):

brihhlvhgbcnlufjlvnuirudeunknlknCharacters are encoded in ModHex for

compatabilitySample output:

vvuelcnnljrdbtrffffdhhlidlhijrbckjgtlgcbnnnhvvuelcnnljrdhrrbkfkhjfvturlkehrrfhkijdljbcdfvvuelcnnljrdettngeieevitvlhvtjghilkttkhueglg

YubiKey – How it WorksThe AES key is used to encrypt a set of data for the

OTP: A hidden identity field to verify the decrypted resultA volatile counter , incremented by one for each code

that has been generated. The code is reset at each power-up

A non-volatile counter , incremented by one for each power-up event. The value of this counter is preserved even when power is lost

A non-predictable counter value is fed by a time-base that is highly device and session dependent.

A random seedA simple checksum

YubiKey FeaturesCan operate in single or two-factor mode

Just rely on embedded userid and one-time password (operates as “something you have”)

Add either separate userid and/or password to embedded userid and OTP (operates as “something you have” and “something you know”)

YubiKey DemoMashed Life Demo

YubiKey – Other Features“One time pad” approach means no time-

based syncHardware based solution means proof

against trojans (unlike software based solutions)

No battery to run down (unlike RSA key)No time limit (unlike certificate-based

solutions)Small form factor (easy to ship/carry)Fast and easy to use – lower user resistanceLow cost (approx $US25 one off, $US10 in

quantity)

Useful LinksYubicoYubico Twitter FeedYubiKey Security AnalysisSteve Gibson talking about YubiKeyAES EncryptionMashed Life

Questions?