[clug] Yubikeys - group purchase?

[steve jenkin]

Robert Edwards wrote on 29/4/09 3:47 PM:

> Yeah, I am aware of all these sorts of things. What I am after is
> a way of playing with a Yubikey secured server (eg. web server) from
> a PDA. So the PDA somehow needs to be able to generate Yubikey-like
> OTPs.
> 
> Cheers,
> 
> Bob Edwards.

Bob,

Please excuse my naiveté, but wouldn't a phone/PDA App that implemented
a One Time Password, like S/Key, fit the bill?

You have to do two things:
 - protect entry to the App with a PIN, or maybe a OTP :-)
 - have multiple sequences/servers that can be selected

Not being time but sequence based, you always have to connect to the
same server and present exactly the next in sequence. I haven't read
enough to know how to resynchronise client/server.

This is on top of the need to reload the client when you've consumed
your set of OTP's.

<http://en.wikipedia.org/wiki/One-time_password>
<http://en.wikipedia.org/wiki/S/KEY>
Seems there are RFC's on this now.

The wikipedia page talks of a M-i-t-M attack, "These types of
vulnerabilities can be avoided by using ssh, SSL, SPKM or other
encrypted transport layer."

=> Wouldn't the yubikey be similarly vulnerable?
   So you'd use both only for logins over SSL :-)



We have experts in the list on USB and some proto experts on Android and
OpenMoko (?sp). Isn't there also someone who do Linux on Palm??

As essential part of the Yubikey is it identifies as a USB keyboard
(HID). Your S/Key phone App would need to identify as a HID on USB or
bluetooth.

I've no idea how hard/easy the HID part is.  Comments on this?

cheers
steve

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin