Silk Road forums
Discussion => Security => Topic started by: dotgoat on August 22, 2013, 02:36 am
-
Not affiliated with them in any way but this may be of interest to people here.
(clearnet) https://www.massdrop.com/buy/yubikey-standard/?mode=guest_open
I got one a couple days ago to try out and then figured others may find it useful. If I understand this right you plug this into a usb slot, touch the button and it sends a random string that's a OTP the yubikey people can verify. Looks like you can also set it up in a second spot by I guess holding the button down longer. And one or both of those spots can instead of a changing OTP have a static password.
(clearnet again) http://www.yubico.com/products/services-software/personalization-tools/static-password/
I could see that plus the auto generate new code to be useful for something like tails. The login could be, using their example, "Sunny33" + whatever the yubikey gives. Then if you want to make it impossible to login (assuming you don't write down that static password somewhere) hold down the button for 10 seconds and you now have no way of logging in no matter how you're compelled to.
I see mention of yubikey at mt. gox although I just use the google authenticator OTP thing. Maybe someone else with more experience with it can elaborate but for $15 I'll try it.
FWIW that massdrop.com site may be useful to people here as they seem to have a lot of vapes and other "aromatherapy" and "tobacco products"
-
So looking at the technical info on this
(the clearnets, you are has warning) http://www.yubico.com/products/yubikey-hardware/yubikey/technical-description/
And that all makes sense. I'm no crypto expert but I understand what and why they're doing what they're doing.
My synopsis of it (hmm doesn't seem like bulleted lists work, at least [*] does nothing):
Yubico (the people that make Yubikeys) store a private key in the yubikey in a way that can't be retrieved and also keeps a record of the key and the "yubikey id". When you press the button it sends the key id and then an encrypted secret that contains "random data from multiple sources" and a counter. The server, having the same private key, decrypts that and makes sure it looks all right (I guess it can be validated somehow). It then checks the counter value and only accepts it if the counter on the yubikey is newer than what the server has. In that way old codes can't be reused. so if someone had a keylogger (assuming this would show up as keyboard presses) they would see a username and then some long string of characters. If they immediately try using that string of characters (assuming they're not man in the middle and instead just trying to replay it) they wouldn't be able to.
I'm kinda excited for this now and it's not just because I'm not particularly sober at the moment ;)
(edit) sorry for multiple posts like this, could have added it to initial one. I'm used to the need to inflate my post count over in noob land :)
-
Nice FYI dotgoat! I've been wanting to get one of these...
SS