Yubico Yubikey

• Based on Gibson Research Corporation's Security Now! podcast #143, "Yubikey."
• Yubico web site
  • Download a security review from this page.

Description

• USB device that looks like a cut-down SD memory card with one push button.
• One-time password generator - useful for authentication only.
• Emulates a USB keboard - no drivers required.
• No battery.
• Open source and open development community!
• Works with OpenID and other web-service based auth methods.
• Key is write-only.

Authentication mechanism

• 128-Bit AES-ECC
• Character set used is 16 symbols (keyboard scan codes). These symbols were selected based on being common to all international keyboards. (Note: 4-bits per symbol).
• authentication string is 44 (4-bit) characters
  • 12-character (48 bits) device id
  • 32 character (128 bits) authentication token (AES encrypted)
• encoded authentication token string 16 bytes (128 bits, 32 symbols) (1 AES block)
  • 6 bytes (48 bits) device id
  • 2 bytes (15 bits) session counter - stored in NV memory, incremented each time the unit is powered up. Note: Unit is only good for 32k sessions since passwords would repeat after that.
  • 3 bytes (24-bits) time stamp - based on 8Hz counter started when the unit is powered up. Note: Maximum is 24-days.
  • 1 byte (8 bits) session counter - incremented each time a password is incremented during a session.
  • 2 bytes (16 bits) random data - padding due to ECB mode
  • 2 bytes (16 bits) CRC

Comments

• No authentication to access device.
• Should use ECC or other asymmetric cipher.

Things to verify

• User can write key? Set key once or multiple times?
• push-button (plus) and non-push-button version? How to operate without button?
• Soft token possible?