«Security Now! Transcript of Episode #143 Page 1 of 30 Transcript of Episode #143 YubiKey Description: Steve and Leo delve into the detailed operation ...»
Steve: Well, because it's becoming so ubiquitous, to use a term. Anyway, the other thing that I think is interesting is that, I mean, on the positive side, I know that our listeners are thinking about this, and there are ways that this can solve problems beyond just sort of generic OpenID-style authentication. For example, imagine a corporation where they wanted tight control over their corporate portal so that, for example, they don't want spambots coming in, posting things. They even want control over what sections of the site you're able to go to. So it'd be very easy for them to YubiKey-enable their own corporate portal so that, if you want to make the query from a database, it says fine, please authenticate. And all you do is you just touch this little spot that is glowing green on the YubiKey. It spits the string out, and then you've authenticated yourself.
Security Now! Transcript of Episode #143 Page 26 of 30 So you can imagine all kinds of applications where, again, because once this thing is installed, it's so simple to, like, reauthenticate, that it really provides, I mean, imagine the pain of being asked to continually read six digits from the football or the credit card. I mean, yes, you could, but it's much easier to just touch the surface, and it authenticates for you. And your entire involvement is just touching the YubiKey.
Leo: And as you point out, by virtue of the number of digits it can spit out, it has much more secure setup. I mean, it's a better way to do it.
Steve: Well, I mean, yes. We would argue that six digits that are changing all the time is secure enough. But it is the case that this is vastly more secure because you're communicating 128 bits which are encrypted with 128-bit Rijndael key. Only the matching key will decrypt it and then give you the data. And as I said, you can really ignore the data. The fact that you decrypted it means you decrypted it for the proper key. So that proper key had to be at the other end of the connection. So it's dramatically more secure than six digits could be.
Leo: Couple of points from our chat. [Loveman ph] says if you have to phone home, doesn't that mean that it wouldn't work with static passwords on a website? What we're saying really is that it's an OpenID device or something like OpenID, where it would establish your identity, and then OpenID - so the website - so say you use it for TWiT.tv, which we support OpenID. We don't have logins at this point, but if we decide to do logins we support OpenID. All you would have to do is use an OpenID provider that supported the YubiKey. Then when you go to TWiT.tv and it says, okay, log in or provide your OpenID identity, you just plug in the - I think, now correct me if I'm wrong, Steve, but you would plug in the YubiKey. You would click on the place where it said provide open - no, it wouldn't work for that, would it.
You'd have to enter your OpenID identity, so go to your OpenID provider, then...
Steve: Then you authenticate...
Leo: So then you'd put in your key or press the button, and that would spit out the code that your - you wouldn't even need, say, a log-in and a password, or might you?
Steve: Well, yes.
Leo: You're in effect logging in because you have a unique number in that.
Steve: Well, you have the flexibility - that's, again, that's what I love about this is that this is a - it's like a low-level perfect crypto toy that you can do anything with you want.
Now, the reason you probably want a passphrase is that you want to protect against, remember, we're talking multifactor...
Security Now! Transcript of Episode #143 Page 27 of 30 Leo: Somebody stealing your key, of course.
Steve: Yes, multifactor authentication, meaning more than one factor. So you would have something you know would be your passphrase. Something you have is the YubiKey.
Leo: Yeah. That makes sense. So this is a very cool - also one more comment. And this one is more about our broadcast than it is about the show today. Robodog has twittered to me on our Twitter account, by the way, which is TWiT Live, if you want to follow the podcasts, broadcasts, and send us questions. He says, all right, Steve has the pipes to support many cams. Can we see Steve by next week, please? And he also wants a - and I think this is a brilliant idea - a whiteboard for you. Wouldn't that be cool?
Steve: I'm busy enough, Leo.
Leo: No, no, I can do it. I'm not asking you for it. But we will - eventually the set up will be, and it's just we're, you know, in fact after the show today I'm going to open up our TriCaster, which will give us this capability of switching to a camera. So Steve, all you would have to do is send video with your Skype, which you can easily do. And then we'd be able to switch to your video as you're talking.
Steve: Eh, we'll see how that goes.
Steve: I don't think so.
Leo: You don't want anybody to see you? You're not wearing any pants, are you.
Steve doesn't want to have to put on makeup.
Steve: There's nothing to see. It's me leaning forward, talking into this beautiful Heil microphone.
we have a very nice homepage in mind. But that's an interesting idea, where we would have something that you're on, on your side - you've done PowerPoints for the TV show - where we could actually throw those things up so that people would have some additional information to...
Steve: The problem is that was a TV show, and everyone who was watching it was watching it. This is an audio podcast. And I would always be focused on conveying this information through audio. And I think that's, for me, that's the model of this podcast.
Leo: No, you're right. In fact, I don't want ever the video to supersede or in any way impinge on the audio. Because most, 99 percent of the audience listens to the audio, not watches the video. So you're absolutely...
Leo: Well, it's not that bad. It's not that bad, Steve. There are a thousand people watching the video.
Steve: How do they even know about it? No one who is listening to Security Now! has even heard about any of this stuff happening.
Leo: Well, they have now. But literally there are a thousand people watching. So...
Steve: Next week watch out.
Leo: So it's not.999, but it might be 99.9. I don't know what it is. But so we will have things like show notes and stuff in real-time on the page. So we'll at least be able to give you links and stuff if you're watching and you want to have more information right there. I think that's a good idea. But you're right, Steve, and I really want to emphasize this to everybody who listens. You're the audience, so we're not going to do anything to impinge on you. And you're right, if we started doing a whiteboard that would change the dynamic of it. So I agree with you, Steve.
Steve, anything else to say about Yubico? It's Yubico.com. But it's really not selling to end-users. It's selling to people who would implement it as part of their system;
Steve: They are, yes, they are right now an OpenID authenticator.
Leo: Oh, so at the very least you could use it as an OpenID tool right now using Yubico as your OpenID provider.
Steve: Exactly. And they've also published that they're doing backend authentication.
They've got the secret AES key for every YubiKey they sell. And they have servers up and running, and a fully published public open source web interface that allows anyone who wants to, for example, well, to finish that thought, anyone who wants to to use their backend authentication right now.
Steve: So, for example, you could use it for access to your own wiki stuff and that kind of thing.
Leo: Perfect. Oh, you're right. So we could use it internally, yeah. All right, Steve.
Very interesting stuff. I'm glad Stina could join us. Stina, we never did attempt her last name, but I think it's Ehrensvrd.
Leo: And we should probably have said that, and said to her, is that how you say it?
But anyway, of course, as usual, as with everybody I've met from Sweden, she speaks better English than we do.
Steve: Well, I'm really glad we've covered this. We're done with the YubiKey at least for now, unless any other new developments happen. But I think it's - authentication is crucial for the future. And I love the policies that these guys have adopted for making this really cool one-time password hardware authentication token available. It's so useful.
Security Now! Transcript of Episode #143 Page 30 of 30 Leo: Next week we're going to answer your questions and suggestions and share them with the world. So you've got to go to Security Now!'s website, which is GRC.com/securitynow, and you can submit suggestions and questions there. You can also find there 16KB versions for the bandwidth impaired, and full transcriptions thanks to Elaine - tip of the hat to Elaine. Cory Doctorow sent us a note saying is
Elaine available for other podcasts, other stuff? And we said yes. [Note from Elaine:
Thanks!] Steve: Yeah, she loves it. She's just tremendous. [Note from Elaine: Thanks again!] Leo: What else? Oh, show notes are there. And of course, don't forget, that GRC.com is the same place you find all of Steve's great free security programs like ShieldsUP!. More than 50 million people have tested their firewalls using ShieldsUP!.
Steve: I think we're at 73 million now.
Leo: Holy comoly. That's amazing. Well, we'll add another thousand right now, just like that. And of course that's where SpinRite is, everybody's favorite, my favorite, hard drive maintenance and recovery utility. If you've got a hard drive, you need SpinRite. GRC.com. Thanks, Steve. We'll see you again next week.
Steve: Talk to you next week, Leo.