crypto frobs
John Covici
covici at ccs.covici.com
Tue Mar 24 09:55:21 UTC 2020
How about a new technology I have heard about called sqrl. See
https://sqrl.grc.com for more information. It overcomes a lot of the
problems discussed here.
On Mon, 23 Mar 2020 22:22:18 -0400,
Michael Loftis wrote:
>
> [1 <text/plain; UTF-8 (quoted-printable)>]
> On Mon, Mar 23, 2020 at 20:08 Michael Loftis <mloftis at wgops.com> wrote:
>
> >
> >
> > On Mon, Mar 23, 2020 at 18:50 William Herrin <bill at herrin.us> wrote:
> >
> >> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <warren at kumari.net> wrote:
> >> > Well, yes and no. With a Yubiikey the attacker has to be local to
> >> > physically touch the button[0] - with just an SSH key, anyone who gets
> >> > access to the machine can take my key and use it. This puts it in the
> >> > "something you have" (not something you are) camp.
> >>
> >> Hi Warren,
> >>
> >> They're both "something you have" factors. The yubi key proves
> >> possession better than the ssh key just like a long password proves
> >> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
> >> key are still part of the same authentication factor.
> >>
> >>
> >> > Not really -- if an attacker steals my laptop, they don't have the
> >> > yubikey (unless I store it in the USB port).
> >>
> >> You make a habit of removing your yubi key from the laptop when nature
> >> calls? No you don't.
> >>
> >>
> >> > If they *do* steal both,
> >> > they can bruteforce the SSH passphrase, but after 5 tries of guessing
> >> > the Yubikey PIN it self-destructs.
> >>
> >> What yubikey are you talking about? I have a password protecting my
> >> ssh key but the yubikeys I've used (including the FIPS version) spit
> >> out a string of characters when you touch them. No pin.
> >>
> >
> > The yubikey does many things depending on how it’s configured. None of
> > mine use the touch to spit out OTP mode, that is the factory mode though
> > yes. Other modes can be password protected (it uses the PIN nomenclature
> > which is confusing, it definitely accepts ASCII and nay even take binary
> > data as a PIN depending on mode of operation) ― it can present as industry
> > standard smart card ( I have one with a pin/password for code signing in
> > Visual Studio f/ex...along with a backup kept locked elsewhere)
> >
>
>
> Replying to myself to clarify a bit... the PKI/SSL private keys are on the
> Yubikey, password protected, signing is accomplished by VS passing the bits
> to be signed to the smart card application on the yubikey, which requires a
> password to enable/unlock. On the yubikey Depending on configuration this
> is a just once operation typically. So each signing op requires a password
> entry. But it could be configured diffferebtly. By only keeping the private
> keys on the yubikey it’s something you have (the yubikey) and something you
> know (the password)... the yubikey (barring software bugs obviously) will
> not expose the private key, it only does the signing op.
>
> That same yubikey has a separate app and trust store in OpenGPG mode, which
> does signing for ssh pubkey auth, with a different private key. Same key
> also does FIDO, another application with another key store.
>
> The same key doing all that could also have a “long touch” to spit out an
> OTP.
>
>
>
> >> Regards,
> >> Bill Herrin
> >>
> >>
> >> --
> >> William Herrin
> >> bill at herrin.us
> >> https://bill.herrin.us/
> >>
> > --
>
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
> [2 <text/html; UTF-8 (quoted-printable)>]
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
covici at ccs.covici.com
More information about the NANOG
mailing list