Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yubikeys in the Enterprise Talk for Programmers Special Interest Group (PSIG) Canberra Bob Edwards, June 2009.

Published byVivian Florence Francis Modified over 8 years ago

Similar presentations

Presentation on theme: "Yubikeys in the Enterprise Talk for Programmers Special Interest Group (PSIG) Canberra Bob Edwards, June 2009."— Presentation transcript:

1 Yubikeys in the Enterprise Talk for Programmers Special Interest Group (PSIG) Canberra Bob Edwards, June 2009

2 Reusable Passwords are Dead Reusable passwords reached their use-by date about 15 years ago (Bob, but others agree...) Based on “something I know” Knowledge can (and should) be shared... Relatively hard to remember Relatively easy to determine... social engineering brute-force attack key-capture (hardware or software) etc.

3 One-Time Passwords (OTP) Use a password once then discard it Capturing it doesn't matter Can be generated as a “one-time pad” (pre- determined list agreed by both ends) Can be generated automatically RSA SecurID uses a hash of a time code S/Key Yubikey... see http://en.wikipedia.org/wiki/One-time_password

4 Multi-factor Authentication One-Time Passwords are generally based on “something you have” (one-time pad, dongle, key, calculator etc.) Can be combined with reusable passwords (“something you know”) to create two-factor authentication If someone steals your OTP generator, not so useful if they don't also have your reusable password Banks use SMS messages etc. for 2 factor auth.

5 Yubikeys Developed by Yubico in Sweden Completely open-source - no vendor lock-in Small, robust, easy to use, cheap, no batteries Looks to a computer (laptop/desktop/server) like a USB keyboard Generates a 44 character OTP each time the “button” is pressed Security based on secret AES 128-bit keys No need to type anything - does it for you

6 Typical Yubikey Use

7 Yubikey Demo with Yubico Server Yubico ships Yubikeys with pre-generated IDs and AES 128-bit keys They offer a public authentication server Can use this to authenticate your web site etc. with little extra effort Yubico “knows” your secret AES 128-bit key Need to trust Yubico for authentication: availability integrity/confidentiality

8 Yubikey Data Format http://www.linuxjournal.com/files/linuxjournal.co m/linuxjournal/articles/101/10166/10166f4.png 128-bit dataframe contains 48-bit “secret” ID, counters, timestamp, random number and CRC 128-bit dataframe encrypted with secret AES 128-bit key “public” ID (6 bytes, 48 bits) prepended 22 byte (176 bit) sequence “modhex”d to 16- character alphabet using most common 16 keys across a wide range of Latin keyboards

9 Reprogramming Yubikeys Can ask Yubico to supply AES 128-bit keys for your Yubikey(s) - they may or may not comply They may comply with someone else requesting your AES 128-bit keys... Can reprogram a Yubikey with your own IDs and AES 128-bit key Reprogrammed keys will no longer work against the Yubico authentication server... Can also reprogram Yubikey with a fixed (reusable) password - but why would you?

10 Reprogramming Yubikeys (2) Need C development environment with SVN svn co http://yubico-personalization.googlecode.com/svn/trunk.http://yubico-personalization.googlecode.com/svn/trunk Follow instructions in doc/Readme.wiki Also need yubico-c library from googlecode.com (also required for YKAS/bobykserv etc.) Linux usbhid driver won't allow personalization to occur whilst Yubikey is registered as a keyboard... as root: #rmmod usbhid && modprobe usbhid quirks=0x1050:0x0010:0x04 run ykpersonalize, then #rmmod usbhid && modprobe usbhid to allow Yubikey to work as a keyboard device again.

11 Bobs YK Authentication Server Wanted an authentication server that matched Yubikeys against users (no current servers do) Use as much Open Source technology as possible Write it in C, of course... Uses: PostgreSQL database, PAM, SSL, LDAP, Apache web-server, PHP scripts... Probably only compiles against glibc on Linux...

12

13 Implementation Details written as a classic forking server can listen on multiple sockets for TCP, SSL and LDAP (bind) authentication requests can also listen on a Unix Domain Socket for encryption requests for new AES 128-bit keys can also “call out” to PAM for 2-factor authentication all done in one place checks CRC, secret ID, and counter values uses syslog for all debug, warning and critical error logging

14 Implementation Details (cont.) Uses a database (PostgreSQL) to store persistent data - that's what databases do well AES 128-bit secret keys are further AES 128-bit encrypted in the database allows database to be backed-up etc. without too much fear of keys being compromised Only YKAS knows the AES 128-bit database decryption key (and so does the file-system...)

15 Debugging Tools softykey - software Yubikey generates valid and invalid Yubikey sequences for testing can also generate a “one-time pad” of valid Yubikeys for use with devices that don't support USB keyboard interfaces (like my Nokia phone...) ykastorture - torture a YK Authentication Server can open lots of connections and send requests through in small bits... still being developed

16 Using with Existing Apps Mainly interested in Applications that allow remote access: Secure Shell Web pages possibly VPNs (haven't tried them yet...) Normal console logins probably don't need additional security - already need physical access... Unlocking screensavers - just because I can...

17 PAM and LDAP For SSH, can simply use PAM and configure to use the pam_ldap.so module, pointing at the LDAP port of the YK Authentication Server Similarly for web apps written in, eg. PHP, Perl, Python etc. Can also use TCP sockets from most scripting languages such as PHP Can also use the pam_daemon.so module

18 pam_daemon.so module PAM usually requires that authentication be done within the context of the authenticating application pam_daemon.so breaks that (so does pam_ldap.so...) by passing username and password (tab separated) to a Unix Domain Socket (locally named socket) a daemon process listening on the socket can then authenticate any way it wants to the daemon process can be written in any language that understands Unix Domain Sockets, like Python, Java, PHP etc. (and, of course, C)

19 Single Sign-On and Kerberos Kerberos is the most common “single sign-on” technology Relies on reusable passwords... Proposal for OTP support not yet standard Could “roll your own” by GPG signing a timestamped message from authentication server indicating user and possibly IP address... Modify SSH to allow custom “token” to be authenticated by checking signature against known trusted authentication server public keys

20 Links YKAS/bobykserv (and utils): svn co https://svn.anu.edu.au/staff/bob/public/bobykserv also need: svn co https://svn.anu.edu.au/staff/bob/public/lib Yubico home page: http://yubico.com http://yubico.com Excellent Linux Journal article: http://www.linuxjournal.com/article/10166

Download ppt "Yubikeys in the Enterprise Talk for Programmers Special Interest Group (PSIG) Canberra Bob Edwards, June 2009."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.

Secure Online USB Login System. Everything is going online Social Interactions Banking Transactions Meetings Businesses... including all sorts of crimes.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
CPS 290.2 Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.

Similar presentations

Ads by Google