[guardian-dev] Strong Mobile Passwords with Yubikey USB Token

Sze Wong szewong at gmail.com
Thu Jan 5 19:54:44 EST 2012

Nathan and Stephen,

This is great information. We have been using SQLCipher for many HIPPA required projects on the iOS. To get through the 2 factor authentication requirement, we issue a separate X.509 certificate per iPad. The YubiKey should be a much cleaner approach. We are going to out that in our road map.


Sze Wong
CEO, Zerion Software, Inc.
swong at iformbuilder.com

No Paper. No Connection. No Problem.

This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please delete it immediately. Thank you.

On Jan 5, 2012, at 5:57 PM, Stephen Lombardo <sjlombardo at zetetic.net> wrote:

> Hi Nathan,
> This is great information! 
> We've been doing some investigation into Yubikey's too. We started off writing a simple Mac OS Menubar application that generates OATH TOTP token when you press a global keyboard Hot key. This uses the Yuibkey API and basically lets you sign into GMail 2-factor auth with a few keypresses (similar to the windows too avaliable at the Yubikey website). The experience was quite good, the Open Source code in the yubikey personalization project and libyubikey makes it very easy to issue an HMAC-SHA1 challenge/response to the key while it is plugged in.
> This presents some interesting potential for SQLCipher. We've had some discussion on the list recently about implementing callbacks in SQLCipher to allow an application to override behavior, for example, Key derivation / management. 
> In particular, one neat idea we're considering as a proof of concept would be to have a key derivation callback that sends an HMAC-SHA1 challenge to the Yubikey and then mixes the result into the derived key used for encryption. Since the HMAC secret is stored security on the Yuibkey device, the result would be a SQLCipher database that could only be opened if you know the passphrase when the yubikey is actually plugged into the computer.
> Callback support in SQLCipher will probably come down the road a bit, so this isn't a short term thing, but let me know what you think of this idea and how it might work for the implementations you're considering.
> Thanks!
> Cheers,
> Stephen
> On Tue, Jan 3, 2012 at 7:55 PM, Nathan of Guardian <nathan at guardianproject.info> wrote:
> We have been experimenting with the Yubikey, a USB hardware password
> token, a bit over the last few weeks and would like to share our initial
> findings. We have not received any financial support or donation from
> Yubico for this work. We simply think they have a very affordable,
> interesting product that, due to its design, does *not* require any
> on-device driver software and can easily work with any Android device
> that supports USB Host/HID mode.
> Our motivation for investigating this device was in finding a way to
> encourage the use of strong (aka long, mixed-case, etc) passwords on
> mobile devices, for use with SQLCipher, screenlock passwords, and on
> boot disk encryption. The issue is that most users rely on short PINs or
> a visual unlock pattern, which does not provide enough randomness to
> ensure security of their data. In addition, due to the use of a
> touchscreen, fingerprint oil smudges on the screen often reveal the
> numbers entered or the pattern drawn to unlock the device (See the
> “Smudge Attacks on Smartphone Touch Screens” paper.)
> More here:
> https://guardianproject.info/2012/01/04/strong-mobile-passwords-with-yubikey-usb-token/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120105/6d57eb59/attachment.htm>

More information about the Guardian-dev mailing list