«Security Now! Transcript of Episode #143 Page 1 of 30 Transcript of Episode #143 YubiKey Description: Steve and Leo delve into the detailed operation ...»
Okay. Then we have a two-byte, what we call a "session counter." That is a nonvolatile counter, and it counts the number of times the YubiKey is powered up. So if you plug it in, that session counter increments once when the YubiKey powers up. And that's nonvolatile. So it only increments, and it never resets to zero. Next is three bytes of a timestamp. And that's a three-byte counter, 24 bits, that runs at 8Hz. So eight times per Security Now! Transcript of Episode #143 Page 19 of 30 second this three-byte timestamp is counting up. Well, that means that it will run, before it wraps around, it runs for 24 days. And that always starts at zero when you plug it in.
So you plug it in, the session counter, which is two bytes, increments by one. And this timestamp starts running.
Well, this has a number of features. One is it has an anti-phishing feature because it means that they're able to determine when - because essentially you've got time embedded in the YubiKey's output. They're able to determine, that is, the recipient is able to determine for successive outputs during a single session when these were generated by the key. So if anything were to intercept this and impose some interception delay and then try to use it, it contains a timestamp. So by comparing the timestamp received from previous receptions of this YubiKey output, they're able to determine whether these are out of sequence, whether they've been delayed for some reason, because normally the authentication happens in near real-time. You know, you're on a form, you go to the YubiKey field to authenticate, or maybe you've got this all built in, for example, into a, for example, a VPN client. And you press the button, it types the stuff out, then you would submit the form. So there's only, like, a few seconds delay between the time the YubiKey generates its token and the authenticator has it and is able to authenticate. So just, I mean, they had 128 bits to play with. And so from an engineering standpoint they said, well, what cool things can we do with all this face? So they gave us an 8Hz timestamp, so every YubiKey token is timestamped in real-time as it's generated.
Leo: That actually solves a problem that VeriSign has with their football or their little card; right? Because if you're out of sequence, sometimes, occasionally, if you press the key a bunch of times or whatever, you'll have to get back in - they can lose track of the sequence, I guess. Does this solve that?
Steve: Well, actually we've got so many bits. And what we're really doing is encrypting this thing. In fact, all you really want to do is prove that you have the magic 128-bit AES key. So the fact is, just decrypting this and doing a sanity check or...
Steve: That's really all you have to...
Leo: You don't have to match it up. You don't have to generate a matching key or anything like that at all.
Leo: Oh, I see. So it really is a different technology than the football.
Leo: There's more than a million keys, one hopes, out there, so that's not going to do it.
Steve: Exactly. Okay. So the next byte is a session use byte, just one byte which increments every time you use it during that session. So remember we have the session counter that increments once for the whole power-up cycle. And then the session use byte, it starts at zero for at the beginning of every session. And then it increments. And that's just to make every single one unique, even though the timestamp would also do it.
But the next two bytes is 16 bits of pseudorandom data. So they have a pseudorandom generator that just generates 16 bits of noise that is added in. The reason they do that is that the one concern that you would have in simply encrypting Rijndael or any symmetric cipher block, we've talked about this before, is that this uses what's called ECB mode, Electronic Code Book mode, meaning you simply take the data, and you encrypt 128 bits into 128 bits.
Well, the problem with ECB mode is the so-called "known plaintext attack," meaning that if you ever are encrypting the same data or potentially similar data, there's a theoretical vulnerability, that is, that you could begin to build up a mapping between the plaintext and the encrypted data. So what they do is they throw in this two bytes of pseudorandom data in addition to three bytes of timestamp, which is running at 8Hz.
That's much faster even than you're able to emit these key output. So there's a lot of randomness in those two things. Or at least nondetermination. And then they have the pseudorandom bytes. And, finally, a 16-bit, two-byte CRC, a Cyclic Redundancy Check, which applies to the entire block.
So the idea would be you receive one of these things, which is this funky mod hex code.
You translate each of the 16 different characters in the alphabet into four bits. That gives you 128 bits. Then you look up the key's secret 128-bit Rijndael symmetric key. You decrypt that 128 bits into this data that I've just described. So now you have the device's unique ID, six bytes; the session counter; the timestamp; the session use byte; then the two pseudorandom bytes that you ignore. But you do run all that through the CRC just as a sanity check to make sure that you have probably decrypted something that is valid and that there was no data loss or corruption at any point. And then you've got all this information about the YubiKey, that is, how many times it's been used in that session, a sense of the time flow during that session, and you can use that to authenticate and to provide various forms of anti-spoofing protection.
Leo: Very cool. Somebody asked in the chatroom if a keystroke logger could capture these keystrokes.
Steve: Absolutely. And I'd be happy to read mine out to anyone who wants.
Steve: Yes. Exactly. It is a one-time key. And again, oh, I forgot to mention, that session counter that is two bytes, they actually have stolen the top bit from it. So it's only 15 bits, meaning that it runs up to a maximum of 32767. It starts at zero. When it gets to the maximum of 32767, it stops, and the YubiKey dies. So that's one thing worth noting.
Leo: Wait a minute, say that again? It can only generate how many?
Steve: No, no. That's what's cool. It's not about - it's how many sessions it can have.
That is, it counts - it's a 15-bit counter. So it counts up to 32767.
Steve: A session is when you power this thing up.
Leo: Ah. So you would have to unplug it and plug it in again to start over.
Steve: Exactly. Well, no...
Leo: Big deal. You're not going to use 15,000 sessions.
Steve: No no no. No. Now, remember that the key is - this is a one-time password generator. Therefore that session counter can never be allowed cryptographically to wrap around to zero because that's where it started. And although...
Leo: It would repeat passwords.
Leo: So are you saying that after 15,000 passwords this stops working?
Steve: No no no. It's very important that people understand this. First of all, it's 32,000.
It's 32,000 sessions.
Leo: And you're saying a session begins when you power it up. So it sounds like every time you unplug and plug it in, that's a new session?
Steve: That is correct.
Leo: Okay. So you wouldn't want to unplug it and plug it in.
Steve: Well, consider that that's a big number. First of all, that's 10 times a day for nine years.
Leo: Okay. Never mind, then. We won't worry about it.
Steve: Well, and imagine that this thing takes off. For example, you're using it as your OpenID token.
Leo: Which means you'd probably want to leave it plugged in.
Steve: That's my point is you're - or you're using it to authenticate yourself to your bank and your corporation and so forth.
Leo: So before you get to work, you sit down, you plug it in, and you press that button whenever you need it, and you unplug it at the end of the day.
Leo: You're not going to use - how many per session do you get? Is it...
Steve: No, it's infinite. There's no limit on the number of keys you can generate per session.
Leo: Oh, okay. Then forget it. Then it's not a big deal.
Steve: And the other reason that this is important is, remember, we know about nonvolatile RAM not lasting forever. That is...
Leo: So it's not writing to the RAM, or the EPROM. It's reading from the PROM.
changing. So they did need to protect against the standard NV RAM fade, because we've talked about how some nonvolatile RAM you can only write to 10,000 times. Some is 100,000. Well, in this case, from an engineering standpoint they knew that the nonvolatile portion of this would be aging as it's counting sessions. So exactly as you said, Leo, I mean, imagine that the typical use might be you plug it into your laptop, turn your laptop on, a little green light comes up. And then during your use of the laptop over the course of several hours, any time you needed to authenticate to an OpenID site you would just reach down and put your finger on the little touch surface, and it would emit a YubiKey token.
Steve: It is really neat.
Leo: You know, I use - and actually it's interesting, our new office manager, Frederique, said is it okay if I plug in my RoboForm. She has, and I use this, too, RoboForm AI has a USB version. So you plug it in, and your passwords are on there and authenticated. And it's a very nice system. But so it's the same idea. I think people are already used to this. But this is so much slicker and so much secure.
Steve: Well, yeah. I mean, it is absolutely secure. You cannot get the YubiKey to tell you its secret 128-bit AES key. All you can get it to do is to spit out unique tokens which only have meaning if the authentication end already has the key. And what I was so pleased about as Yubico's concept of what they were going to do with this evolved is, I mean, and they even changed the language on the website in the last couple weeks because there was language about, well, you know, the keys you're buying from them now are evaluation only, and they'll expire. All of that's gone. That was, you know, they weren't sure what business model they wanted to have. And they've settled on, okay, we're going to sell these keys.
Leo: They picked the right model, I think; don't you?
Steve: Oh, I mean, it's why I'm so excited about this. Leo, I can't - there's no way that VeriSign will tell me the algorithm that they use in their footballs or their cards.
Therefore I cannot...
substantial cost associated with using that kind of big corporate authentication solution.
And it's, I mean, VeriSign's model is we're going to be - we have a big network. We're not going to go down. You can trust us to be up all the time. And it's like, well, okay. But it does limit the applications. Here Yubico tells you everything you need to know. I mean, it's why I love it. I mean, I love crypto, and I love authentication. Now I've got these keys that I can use for any purpose I want. I mean, Sue, Greg, and I are going to use this to access...
Leo: So you're going to do it. You're going to implement it.
Steve: Well, it is immediately an OpenID.
Leo: You know what I thought it would be really good for? Now, we're not probably going to do this. But if you wanted to do a paid, say, paid podcast, a paid show, somebody could subscribe, and you'd mail them, they're cheap enough, you could mail them a YubiKey.
Leo: And they couldn't watch it without the YubiKey. And it's kind of - I don't want to say, I'm not recommending it for DRM. But it could be the ultimate DRM.
Steve: Well, as a matter of fact one of the applications that Stina mentioned is the idea of for online gaming or even for downloadable games. It ends up being a very painless hardware key where you would allow people then to download updates and download the software which won't work until they authenticate with their YubiKey.
Leo: So now it's gone clean out of my head. I thought of some negatives about this.
I mean, I guess one negative would be if you lose it there's no way they can give you a replacement; right?
Steve: That is correct. Now, I did want to mention my concern over the idea of this 32,000 sessions, or days, or however you would use it. The comment's been made that if this thing is on your key ring, and you're putting it in, pulling it out, putting it in, pulling it out, it probably mechanically degrades.
Steve: Exactly. And so at some point it's looking kind of ragged. And so you would tell your IT department, hey, you know, my YubiKey's chipping off, and my dog chewed on it, and can I have a replacement, please.
Steve: Well, oh, that's no problem at all. Or if you lost it. You'd report it lost the way you would a credit card, and they'd just cancel it. They'd just hand you another one for, I mean, I didn't go through her whole price list. But at a million quantity, I mean, I guess a large corporation that wanted to standardize on this, they're $5 each.
Leo: Okay. Which is what the football costs from PayPal. And they're subsidizing it.
Steve: Well, yes. Now, I do want to say that one downside, it's worth mentioning, is that the football and the credit card, that is, the two visual numeric ID solutions, because they don't use any kind of electrical interface, they could be used for authentication over the phone or at a...
Leo: Right. You have to manually enter the number or speak it, but you can do that.
You couldn't do that with the YubiKey.
Steve: Or like in some sort of a, like a Windows kiosk or something where you don't have access to the physical machine. So one limitation is it is, being a USB thing, it's for an end-user who has a computer and has access to that computer's USB ports. Someone in the, I think they have an FAQ on their site where they said, well, wait, my USB ports are all on the back of my desktop. I can't get to them. And the answer...