Silk Road forums

Discussion => Security => Topic started by: Whothefuckisthis on June 03, 2012, 08:17 am

Title: Yubikey what is it? And why should I get or buy it?
Post by: Whothefuckisthis on June 03, 2012, 08:17 am
Wasn't sure if I post this here or rumor mill. But since it's about security I'll give it a shot.
What is a yubikey (aside from being a USB )? What is it used for? And do I need one?
Title: Re: Yubikey what is it? And why should I get or buy it?
Post by: vlad1m1r on June 03, 2012, 08:44 am
Wasn't sure if I post this here or rumor mill. But since it's about security I'll give it a shot.
What is a yubikey (aside from being a USB )? What is it used for? And do I need one?

Hi buddy, welcome to SR!

I was chatting a few weeks ago with some more experienced users about the Yubikey. In theory a Yubikey is a USB key which contains a special private key which generates one time passwords. In plain English this means that theoretically you can log into websites like MtGox more securely as the key has you use an on screen keyboard to protect against key logging programs and generates complex passwords as and when they're needed.

Take a look at https://www.yubico.com/personal-use to see other uses for the Yubikey.

While on the face of it, it sounds very impressive it is in fact a bit of a liability for people like us. The simple reason is that having your private key stored on a device means it can be compromised and of course if you use it to protect your password manager program, compromising the one password would entail revealing the whole list!

In addition if you were to use a Yubikey to encrypt your machine with Truecrypt through creating a static password (https://www.yubico.com/static-password), if the boys in blue ever raided your home they could use the key to decrypt your machine too.

I think a Yubikey might be useful as a decoy if you were using plausible denial encryption i.e you used the Yubikey to protect the harmless data on your machine and surrendered it to the authorities if your home was raided and they threaten you with legal action to hand over your password.

When all is said and done however if anyone else but you were to get their hands on your Yubikey this would seriously threaten your security so if you do get one I'd only use it to protect non essential info.

V.

Title: Re: Yubikey what is it? And why should I get or buy it?
Post by: MrVidalia on June 03, 2012, 10:33 am
Really only experiance I have with yubikey is the "challenge-response" for software licensing but they do have other modes: I have seen it used in website as authentication key but the ONLY protection this offer you is against breachs of your password like you input password to fake banking site then the hacker could not log on to real bank site because no authentication key.  A code is mathematically created and the breach of a one use code they can not generate another valid one without yubikey.  So example you have online banking. But still anyone can ask the bank what is your account balance and transactions, only protects you from the hacker log on.

I just read the use note on the truecrypt with yubikey  and this seems VERY much insecure. The password is stored, when the button is pushed it emulate a keyboard typing in the password. So e.g. now someone see your yubikey plug it to a usb keyboard log and they have your password in 1 second. There are NO verification so the encryption does not determine if the yubikey was installed or the password typed inthe keyboard. Compare to java smartcard in theory 2 way secure.... but then whom ever have the card can decrypt. Instead of this method, pick a strong password and write it only in your mind!

So it might be more secure to have a multi-factor authentication for your encryption. E.g. enforced in the BIOS/TPM require your TPM password to initialize, your smart card, fingerprint and STRONG password only written in your mind... then everyone will wonder what secrets you have.  Sometimes things hide best in plain site, encrypted of course like multiple hidden truecrypt volume on plain disks.  Then remember not only do you have the files created, there is all small traces, browser history, cookie so much small stuff: solve it with fixed medium like live dvd (best for privacy because no rewrite) or write protect flash (secure in theory.)
Title: Re: Yubikey what is it? And why should I get or buy it?
Post by: vlad1m1r on June 03, 2012, 11:39 am
Really only experiance I have with yubikey is the "challenge-response" for software licensing but they do have other modes: I have seen it used in website as authentication key but the ONLY protection this offer you is against breachs of your password like you input password to fake banking site then the hacker could not log on to real bank site because no authentication key.  A code is mathematically created and the breach of a one use code they can not generate another valid one without yubikey.  So example you have online banking. But still anyone can ask the bank what is your account balance and transactions, only protects you from the hacker log on.

I just read the use note on the truecrypt with yubikey  and this seems VERY much insecure. The password is stored, when the button is pushed it emulate a keyboard typing in the password. So e.g. now someone see your yubikey plug it to a usb keyboard log and they have your password in 1 second. There are NO verification so the encryption does not determine if the yubikey was installed or the password typed inthe keyboard. Compare to java smartcard in theory 2 way secure.... but then whom ever have the card can decrypt. Instead of this method, pick a strong password and write it only in your mind!

So it might be more secure to have a multi-factor authentication for your encryption. E.g. enforced in the BIOS/TPM require your TPM password to initialize, your smart card, fingerprint and STRONG password only written in your mind... then everyone will wonder what secrets you have.  Sometimes things hide best in plain site, encrypted of course like multiple hidden truecrypt volume on plain disks.  Then remember not only do you have the files created, there is all small traces, browser history, cookie so much small stuff: solve it with fixed medium like live dvd (best for privacy because no rewrite) or write protect flash (secure in theory.)

+1 to Mr Vidalia for an excellent post.

It's certainly true to say that you want to have multi-factor authentication for your encryption i.e something you have and something you know. Truecrypt already supports this procedure through use of keyfiles in combination with a password and if you need help setting this up please do say so - however the Yubikey site itself says that if the key is lost along with the encrypted machine then the data will be compromised - so much for multi factor security!

There are separate schools of thought on whether a live DVD or USB is more secure than an encrypted Operating System. Both methods are vulnerable to what is known as a "cold boot attack" where data can be harvested from RAM for a short time after a machine is powered down.

The other concern for me about using a live DVD would be where to keep information such as my GPG private key or Bitcoin wallet software. Of course you can encrypt a USB drive with Truecrypt and keep such programs on there, which you could load with a "Live" operating system.

V.
Title: Re: Yubikey what is it? And why should I get or buy it?
Post by: Whothefuckisthis on June 03, 2012, 08:25 pm
Well thank you both very much. At first I wasn't really sure what they did and I almost thought it was kinda like the USB I purchased. But now I know I really don't think I need one. Especially if it compromises your passwords and only useful for non important data.