Yubikeys are now supported

[Paul Wouters]

On Thu, 7 Oct 2010, Toshio Kuratomi wrote:

> The one time passwords generated by the yubikey can safely be used with
> multiple services.  The thing that is unsafe is using the same AES key with
> multiple ykksm's.  Yubico runs a ykksm for people to use with some third
> party websites that support yubikeys.  The fedoraproject provides its own
> ykksm server.  If you use the same AES key with both of these then if one of
> the servers is compromised, both are compromised.  If you only use your key
> with one of the ykksm's then you can safely use your otps on other sites and
> there will be no negative ramifications (other than not being able to
> authenticate).

That's what I understood yes. It also means you have to trust any other provider
(without a compromise). It also makes the server a target to obtain the AES
secrets to try elsewhere. In some sense, an md5 hashed password has less value
when taken from a compromised server, as it would still need to be brute forced.

> The newer yubikey hardware has provision for two AES keys but I'm not sure
> how that works and whether it actually allows you to use separate keys with
> separate servers.  Someone will need to look into this.

I think by pressing down the 1 button for more then 2 seconds, you get the second
key. I am not sure if I have such a key (mine is about a year old)

I really like the concept of the yubikey - that is the USB keyboard as input
method. My company decided not to add this to our products because of the
concern of symmetric crypto used. It would be perfect if it had some kind of
public key based system like RSA or DSA.

One usage of yubikey I would like very much is as storage for the AES
encryption key for disk encryption. I'd prefer the disk crypto key to
not be on the disk at all, protected by just a passphrase. It would be
nice to have it on a yubikey instead.

Paul
Paul