Saturday, August 22, 2009

YubiKey, Authenticate Me Please

I enjoy really geeky gadgets and potentially one of the geekiest things I have purchased lately was a YubiKey from Yubico.

For someone not very technical it might be a little hard to understand what a YubiKey actually does. From a security standpoint it is quite simple, it authenticates you. It looks like a very thin flash drive with a button on top. When plugged into any computer it acts like a USB keyboard. This means it works on anything with a USB port that supports a keyboard.

The point of having a YubiKey is to have a one time password. Just like the name implies, a one time password is a password that only works once. Evey time you click the button on the YubiKey generates a unique password that will only be valid once.

How a YubiKey Works

Stored inside of the YubiKey and on the server that authenticates the YubiKey is a secret key that uses strong AES 128 encryption to encrypt the message, OTP, that is sent to the server. The encrypted message is encoded in mod-hex (32 characters long) using an alphabet that is common to all keyboards. It actually doesn't use the letters, rather it works at the lowest level using scan codes that are common across all keyboard.

The actual message that is encrypted is broken down as follows:

  • Private identity (6 bytes) - Uniquely identifies the YubiKey
  • Usage counter - Increments every time the YubiKey is used. Insures every OTP is unique
  • Timer field - (24 bits) - Initialized with random number which then counts up using an 8 Hz timer
  • Random number (16 bits) - Initizlized with a random number
  • Checksum - CRC16 Checksum of all of the fields


All of this information is encrypted to authenticate that you have the encryption key that was used to encrypt the message. The security of the entire system is based on the ability to keep the encryption key private and the inherent security of AES encryption.

What I've Done with my YubiKey

I have left my YubiKey authentication in the hands of Yubico so I am able to log into the Yubico wiki and forums in one click. I have also played with authenticating my own PHP web applications. It is a fairly simple process to run a client authentication on a web server.

Yubico is very open source with their product and provides authentication server and authentication client for many different languages and platforms. This includes my favorite language on the web, PHP. The authentication process is rather simple using the Standalone Yubico PHP class linked to from the Yubico web services clients page on their site.

The amazing part of the system is that you do not need a user name or password to log in if you want to use single factor authentication. It is for sake or argument, impossible for anyone to generate a valid OTP without having my Yubikey or the private encryption key which is kept secret. This means all I have to do to log into my own site is plug my YubiKey into my computer and press the button.

I have only played around with this authentication so far, but will hopefully be adding MediWiki YubiKey authentication to https://www.jaredhatfield.com/ soon.

Another Cool Feature

While the entire point of a YubiKey is to have a one time password, it has another functionality where you can store a static password in the device that it will simply type in on demand. With the added feature of having each YubiKey have two modes that it can operate in depending on how long you press the button (OTP + OTP, OTP + Static, Static + Static) I will be playing with this feature very soon.

This means you do not have to remember a very long password and can simply have a YubiKey type it in for you. This is very useful when you look at having long wireless encryption passwords or passwords used on encrypted drives or file containers.

I will continue to play and post on this topic when I have made more progress.

1 comment:

Mashed said...

Yubikey has a lot of potential security problems like any event-based OTP devices. But it is an interesting toy, or at best a common denominator.

BTW how do you compare it with Umikey or Swekey?

Thanks for tips