Yubikeys are now supported
Stephen John Smoogen
smooge at gmail.com
Fri Oct 8 20:40:08 UTC 2010
On Fri, Oct 8, 2010 at 08:48, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 8 Oct 2010, Dennis Gilmore wrote:
>
>> It sounds like you do not fully understand how the yubikeys work. either that
>> or i dont understand the attack you are describing?
>
> It all comes down to this being based on symmetric crypto, not on public key
> systems. The secret lives at two places, which is unlike modern crypto systems
> we've become used to, such as SSL/SSH, RSA/DSA or OTR.
Correct. It is a problem with several OTP implementations I have dealt
with in the past. Thankfully it is better than one where we figured
out you knew one password you could figure out the next because it was
next = previous * 3 +1 mod 7 (or something close). My hat was off to
the fellow who looking at the 12 character hex code figured out the
pattern in a couple of minutes.
So from this analysis, we should a) look at making sure where the keys
are stored meet a high expectation of security and privacy. and b)
that we should make sure that if a problem occurs that we can rekey
things quickly, and c) audit the system regularly.
I don't know if regularized rekeying of yubi's would buy or help us any.
--
Stephen J Smoogen.
“The core skill of innovators is error recovery, not failure avoidance.”
Randy Nelson, President of Pixar University.
"We have a strategic plan. It's called doing things.""
— Herb Kelleher, founder Southwest Airlines
More information about the devel
mailing list