Today we’re going to continue our discussion on the Yubikey from Yubico. I received mine in the mail a few weeks ago and had the opportunity to play around with the device a bit. Many people were attracted to the Yubikey because of it’s cool, tiny keyboard - so they ordered them. When it arrived they plugged it into their computers and touched the green surface which then spits out a 44 character encrypted one time password. That’s all nice and very cool but now what? How can this very innovative security token that is a tiny USB keyboard be put to good use? I, therefore, devised a way to prove that this cool token can really deliver. My plan was to customize this blog’s “admin logon” and incorporate the Yubikey authentication as an added layer of security.

Good news, Yubikey authentication is open source! This means that developers are able write code both on the client side as well as the server side to leverage the Yubikey in their own environments. There are not too many options for do-it-yourself hardware authentication solutions! Yubico offers sample code in a variety of languages that can help you get going. You can also authenticate against Yubico’s authentication server, hosted by them. This would come in handy for companies that plan on implementing their own server authentication, however, are not there yet and would like to test their client side code. In my case I decided to authenticate against Yubico, since it’s simpler and quicker. There is a downside to this approach that is worth mentioning. If I wanted to log onto my blog’s “admin panel” and for some reason the Yubico authentication server was down, I would be locked out of my blog’s admin panel.

This blog uses Wordpress, the popular open source PHP blogging software. Modifying the admin logic to include the Yubikey as a 2nd level of authentication was very easy. I utilized the code written for PHP. First, I dropped in the Yubico class on my server. I then added in some code to the wp-login.php file.

Here is the function that calls the Auth_Yubico class:

function verifyYubikey ($token) {
global $error;

$yubi = &new Auth_Yubico(’77′,’5dFRPaFvjBvwiiB023ZWu4Qb++U’);
$auth = $yubi->verify($token);
if (PEAR::isError($auth)) {
$yub_error = $auth->getMessage();
$error = __(’<strong>ERROR</strong>: ‘. $yub_error);
return false;
} else {
return true;
}

}

Here is where I modified the logic for logging on in the wp-login.php file.

if (verifyYubikey($user_yub) && wp_login($user_login, $user_pass, $using_cookie)) {

I verify the yubikey string prior to verifying my static password so people can try it out by putting in a password and see what errors are returned back from Yubico’s authentication server; more on that shortly…

So, how does the Yubikey work? We talked about asymmetric encryption in a prior post. Each Yubikey contains a unique private key that encrypts some data, turning it into the encrypted OTP (One Time Password). The Yubikey uses a conversion scheme to ASCII, which they call mod-hex. The 44 character blob is made up of 12 characters plus the 32 character OTP. The first 12 characters never change; they are your Yubikey’s unique id. So you have the 48 bits plus an AES encrypted 128 bits sent over to the authentication provider (in my case, the Yubico server). Yubico then does a lookup with my unique 12 characters and pulls the “public” key to do the decryption. Now, if the authentication side is able to decrypt this blog then you are successfully authenticated. After decryption you have 128 bits of cipher text. Besides containing your unique id, the cipher text also contains some additional useful information about how your Yubikey has just been used. For example, the time-stamp of when the OTP was generated is included, as well as a session “use counter” showing how many times you generated an OTP. This information can be used to thwart some sneaky phishing attacks. Another thing to note is that your secret AES key in the Yubikey is never able to be read out; nothing you can do to the device can force it to give you it’s secret key. All in all, this hardware solution is extremely secure.

Below are two Yubikey passcodes generated from my Yubikey that I used to authenticate myself when creating this post. I highlighted the first 12 characters, my unique serial number indentifying my Yubikey. You can copy and paste the string in the Yubikey field on my admin page and then type in anything for the static password (logic for verifying Yubikey is done prior to the static password as you can see in the PHP code above).

jdteklknnhcffbfgjebejhbbgnrtrevingnldlctiulj
jdteklknnhcfnfidtedkcelbrkvngurddrclghnidgfh

To make sure the responses come from Yubico, they offer you the ability to create an id with a shared key. When you authenticate, there is an extra field returned to which you can apply a signature algorithm. To apply this algorithm you use your shared key to validate that the response actually came from Yubico. In the code of the “verify method” above I included my id of 77 and the shared key that was assigned to me. I just tried changing the shared key by adding a “1″ to the end of that string and wasn’t alerted that my signature algorithm failed; which it should have done. Perhaps I’m doing something incorrectly; feel free to comment. I’d like to say thank you to Simon from Yubico who was responsive to the questions I posed. Yubico also set up a forum where you can learn more about Yubikey.

On Securitynow podcast #141 Steve Gibson talks about his experience at RSA Conference 2008 a few weeks back. The RSA Conference is the largest of it’s kind in the world focusing on information security. I mentioned to a friend that I’m going to be at the RSA Conference in 2009 and I’m going to leave the kids somewhere and bring my wife. Ok, ok - that’s pushing it.Steve gave out a url which takes you to RSA conference Keynote speakers so you can watch at your leisure. There is one really fascinating keynote address by Jeff Hawkins about brains and computers (AI) that is worth watching.  Jeff Hawkins co-authored a book called, “About Intelligence”.

At RSA Steve stumbled on a really cool new product called the Yubikey from a Swedish company called Yubico. The Yubikey is a very small USB authentication device. You plug it in to your computer’s USB port and then go to, say, a website that was all set up to support Yubikey. Touch the device and it will spit out a really long one time password sequence. If you have the the device that is associated with you (based on the devices serial number I would guess) then you are authenticated. In authentication speak this form of authentication would be something you have, while your static password is something you know. The really cool thing about this device is that the Yubikey contains a tiny keyboard so you don’t have hardware compatibility issues. I need to learn more in order to fully explain how this works. What better way to learn about the product than to implement it. We talked about securing my blog’s “Admin panel” in a previous post. I have username/password and for a 2nd factor authentication I can use the yubikey. I sent the company an email the other day expressing my interest in the product. I got a response back from the CEO.

“Thanks for your interest in Yubico….Since Steve Gibson sent his latest SecurityNow! podcast interest in our product has greatly exceeded our expectations. We are working hard to catch up with demand and sincerely apologize to all of you who are still waiting to receive shipments from us. We expect to be caught up within the next two weeks. ……. “

I’m sure the CEO is happy she met Steve at RSA. I’ll keep you updated on my progress in implementing the Yubikey on my blog’s “admin panel”. We also need to discuss “openID” since the yubikey is openID compliant. In short you can use your Yubikey when logging onto sites that support openID for an added level of security. Until next time..

***** Follow up ******

New post on my Yubico Impementation.

Steve Gibson of “GRC.com” has successfully implemented a very cool and extremely robust multi-factor authentication for his GRC employees who need access to an web admin console. He shares his implementation on a series of pod-casts found here. The cool thing about this form of authentication is that he assumes “perfect knowledge”. This means that Steve’s one-time password scheme is extremely secure. So secure, in fact, that if a keystroke logger residing on that machine is recording the keystrokes while a user attempts to log in - that information would not aid an in future attempts to log in. Most sites you visit that contain the typical user log-in, including your online banking site, would be vulnerable to a key stroke logger attack. That is because they require a password that is static. This means the password doesn’t change each time a user logs on. A key stroke logger would be able to identify your password as you type on the keyboard. Armed with this knowledge of your password the attacker can masquerade as you in a future log-on attempt. Another term for this attack vector is called a “replay attack”.In the Steve’s “PPP system” the four-character password, which is a passcode, is different each time the user logs on. There are 16,777,216 possible combinations for each passcode and since no passcode is ever reused, a replay attack would be impossible. The passwords are displayed on a credit card sized piece of paper that can be easily stored in one’s wallet. Steve uses some heavy duty encryption with a highly pseudo random 256 bit key to generate these series of passcodes. Each user will have a 256 bit key that will define the series. This key is stored on the server and the user doesn’t know this key. Another nice feature with this system is that the server will keep track of the passcodes of prior logons, and prompt the user for which passcode that it wants the user to enter. Each column is a letter and each row is a number, therefore the server might show “3E [1]:” so you would type in 5th column 3rd row on the first page. You can also print out your own passcode sheets and if you ever lose a sheet you can tell the server to forward you on to the next sheet, invalidating
the prior passcodes.

The PPP system was well received in the security community and some very practical open-source implementations were created. I downloaded and installed the PPP for PAM module, which allowed me to use PPP when I remote log-on to my MAC using SSH. Interestingly, Steve mentioned that when his employees log on using PPP they also supply a static password in addition to the PPP password. The reason behind this is that if the sheet of passcodes (something you have) got into the wrong hands they would be able to log in as you. However, they still need the static password that only you know, to log on.

There are well known forms of authentication in security we use often to identify someone’s identity to systems. Three forms are; something you know ( i.e a password), something you have (i.e a bank card, secureId token), something you are (i.e fingerprints, retnal pattern). For example, when you use your ATM card at a bank you are using something you have (bank card) and a pin (something you know) , this is called multifacter authentication.

On Security Now (a fantastic podcast) Q and A episode 92 someone wrote in about another way of authenticating users using IP intelligence. IP intelligence is knowing approximately where you are located when using the internet. So you can have a website display local resturants based on the the IP he logged on to the site with.

The applications of this technology is great. When discussing authentication this can be used to further verify someone’s identity. If I log onto my bank site with a IP address that originated from Geneva, that might be a good indication to the website that it’s not me logging on. There are third-party’s services that offer this to the extra security contious web site. This works nicely , since , the IP address of the user logging in using a SSL connection can’t be spoofed. So next time you’re in China and you can’t log into your banking site you’ll know why

Anyone have an other forms of authentication you’d like to share ???