[guardian-dev] Strong Mobile Passwords with Yubikey USB Token

Stephen Lombardo sjlombardo at zetetic.net
Thu Jan 5 17:57:46 EST 2012


Hi Nathan,

This is great information!

We've been doing some investigation into Yubikey's too. We started off
writing a simple Mac OS Menubar application that generates OATH TOTP token
when you press a global keyboard Hot key. This uses the Yuibkey API and
basically lets you sign into GMail 2-factor auth with a few keypresses
(similar to the windows too avaliable at the Yubikey website). The
experience was quite good, the Open Source code in the yubikey
personalization project and libyubikey makes it very easy to issue an
HMAC-SHA1 challenge/response to the key while it is plugged in.

This presents some interesting potential for SQLCipher. We've had some
discussion on the list recently about implementing callbacks in SQLCipher
to allow an application to override behavior, for example, Key derivation /
management.

In particular, one neat idea we're considering as a proof of concept would
be to have a key derivation callback that sends an HMAC-SHA1 challenge to
the Yubikey and then mixes the result into the derived key used for
encryption. Since the HMAC secret is stored security on the Yuibkey device,
the result would be a SQLCipher database that could only be opened if you
know the passphrase when the yubikey is actually plugged into the computer.

Callback support in SQLCipher will probably come down the road a bit, so
this isn't a short term thing, but let me know what you think of this idea
and how it might work for the implementations you're considering.

Thanks!

Cheers,
Stephen

On Tue, Jan 3, 2012 at 7:55 PM, Nathan of Guardian <
nathan at guardianproject.info> wrote:

>
> We have been experimenting with the Yubikey, a USB hardware password
> token, a bit over the last few weeks and would like to share our initial
> findings. We have not received any financial support or donation from
> Yubico for this work. We simply think they have a very affordable,
> interesting product that, due to its design, does *not* require any
> on-device driver software and can easily work with any Android device
> that supports USB Host/HID mode.
>
> Our motivation for investigating this device was in finding a way to
> encourage the use of strong (aka long, mixed-case, etc) passwords on
> mobile devices, for use with SQLCipher, screenlock passwords, and on
> boot disk encryption. The issue is that most users rely on short PINs or
> a visual unlock pattern, which does not provide enough randomness to
> ensure security of their data. In addition, due to the use of a
> touchscreen, fingerprint oil smudges on the screen often reveal the
> numbers entered or the pattern drawn to unlock the device (See the
> “Smudge Attacks on Smartphone Touch Screens” paper.)
>
> More here:
>
> https://guardianproject.info/2012/01/04/strong-mobile-passwords-with-yubikey-usb-token/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120105/bea5b408/attachment.htm>


More information about the Guardian-dev mailing list