[clug] Re: Yubikeys at CLUG meeting (linux Digest, Vol 78, Issue 6, Message 4)

Robert Edwards bob at cs.anu.edu.au
Thu Jun 4 00:30:59 GMT 2009 

Miles Goodhew wrote:
> Hi Karun,
> 
>> Date: Tue, 02 Jun 2009 20:52:40 +1000
>> From: "Karun Dambiec" <karun at fastmail.fm>
>> Message-ID: <1243939960.23319.1318351635 at webmail.messagingengine.com>
>>
>> Does anyone who participated in the bulk purchase of Yubikeys know how
>> we can get access to the Yubikey Management System?
>> It appears we need a paypal receipt.
> 
>   I didn't think you _could_ get access to their access system.

Yubico offer a public authentication service which every Yubikey they
sell can authenticate against be default until reprogrammed. This is
the default way of using Yubikeys against a whole range of public
websites and services (including OpenID and possibly LastPass).

> 
>> Im needing to get my AES key so I can set it up to use with PAM on
>> Linux.
> 
>   I haven't done a lot of tinkering with my keys yet, but I thought if
> you were going to do your own "disconnected mode" client verification
> system, your best bet was to "re-personalise" (re-key) the keys.  This
> way Yubico themselves can't know your AES keys, should they somehow go
> over to the dark side.
>  I haven't looked for long, but I've not found much documentation
> about doing this yet.
> 
> Hope that's some help,
> 
> M0les.
> 

So, if the guy who actually purchased the Yubikeys (Miles, in this case)
sends in a request to Yubico with various proofs that he/she did order
the keys (Palpal number etc.) and with two consecutive Yubikey sequences
from one of the keys, and their own public GPG key, then Yubico _may_
send back the AES 128-bit keys for _all_ the Yubikeys on that order,
encrypted with that GPG key.

Now Miles has the AES 128-bit key for everyone in the bulk order (!).
He can distribute them. Not wanting to cast dispersions on Miles' good
name, but everyone who ordered Yubikeys through this order should be
aware that Miles _may_ have your Yubikeys' pre-programmed AES key
already... And we already know that Yubico has those keys as well...

Again, I would look seriously at reprogramming in any case.

On the other hand, when I tried getting the AES keys for my Yubikeys,
Yubico put up some hurdles that I couldn't be bothered hurdling (I
didn't order them using Paypal so things were a little more complex).
So I just went with plan A: reprogram all the keys.

If anyone wants to know how to reprogram their Yubikeys, I am talking
about this at next weeks PSIG. Also, there is documentation on the
Yubico wiki about it - requires downloading and compiling three sets
of C code in the correct order.

Cheers,

Bob Edwards.

More information about the linux mailing list