[guardian-dev] Strong Mobile Passwords with Yubikey USB Token

Stephen Lombardo sjlombardo at zetetic.net
Sat Jan 14 21:03:33 EST 2012

Hi Nathan, Sze,

The Yubikey also seems to work well in static password mode on an iPad when
coupled with the Apple iPad Camera Connection kit USB adapter.


When you plug a Yubikey in it says the "connected usb device is not
supported", but after dismissing the warning the Yubikey works without

Nick Parker also found a couple of other adapters that might be able to be
chained together, though we havent tested them.



Unfortunately, the connector does not appear to work on the iPhone, so it
might be an iPad only option.

I'm not sure if the USB interface for HMAC challenge would work on the
iPad, but we might give that a try at some point too.


2012/1/5 Sze Wong <szewong at gmail.com>

> Nathan and Stephen,
> This is great information. We have been using SQLCipher for many HIPPA
> required projects on the iOS. To get through the 2 factor authentication
> requirement, we issue a separate X.509 certificate per iPad. The YubiKey
> should be a much cleaner approach. We are going to out that in our road map.
> Thanks
> Sze Wong
> CEO, Zerion Software, Inc.
> 571-216-2553
> swong at iformbuilder.com
> @szewong
> www.iFormBuilder.com
> No Paper. No Connection. No Problem.
> This email and its contents are confidential. If you are not the intended
> recipient, please do not disclose or use the information within this email
> or its attachments. If you have received this email in error, please delete
> it immediately. Thank you.
> On Jan 5, 2012, at 5:57 PM, Stephen Lombardo <sjlombardo at zetetic.net>
> wrote:
> Hi Nathan,
> This is great information!
> We've been doing some investigation into Yubikey's too. We started off
> writing a simple Mac OS Menubar application that generates OATH TOTP token
> when you press a global keyboard Hot key. This uses the Yuibkey API and
> basically lets you sign into GMail 2-factor auth with a few keypresses
> (similar to the windows too avaliable at the Yubikey website). The
> experience was quite good, the Open Source code in the yubikey
> personalization project and libyubikey makes it very easy to issue an
> HMAC-SHA1 challenge/response to the key while it is plugged in.
> This presents some interesting potential for SQLCipher. We've had some
> discussion on the list recently about implementing callbacks in SQLCipher
> to allow an application to override behavior, for example, Key derivation /
> management.
> In particular, one neat idea we're considering as a proof of concept would
> be to have a key derivation callback that sends an HMAC-SHA1 challenge to
> the Yubikey and then mixes the result into the derived key used for
> encryption. Since the HMAC secret is stored security on the Yuibkey device,
> the result would be a SQLCipher database that could only be opened if you
> know the passphrase when the yubikey is actually plugged into the computer.
> Callback support in SQLCipher will probably come down the road a bit, so
> this isn't a short term thing, but let me know what you think of this idea
> and how it might work for the implementations you're considering.
> Thanks!
> Cheers,
> Stephen
> On Tue, Jan 3, 2012 at 7:55 PM, Nathan of Guardian <
> nathan at guardianproject.info> wrote:
>> We have been experimenting with the Yubikey, a USB hardware password
>> token, a bit over the last few weeks and would like to share our initial
>> findings. We have not received any financial support or donation from
>> Yubico for this work. We simply think they have a very affordable,
>> interesting product that, due to its design, does *not* require any
>> on-device driver software and can easily work with any Android device
>> that supports USB Host/HID mode.
>> Our motivation for investigating this device was in finding a way to
>> encourage the use of strong (aka long, mixed-case, etc) passwords on
>> mobile devices, for use with SQLCipher, screenlock passwords, and on
>> boot disk encryption. The issue is that most users rely on short PINs or
>> a visual unlock pattern, which does not provide enough randomness to
>> ensure security of their data. In addition, due to the use of a
>> touchscreen, fingerprint oil smudges on the screen often reveal the
>> numbers entered or the pattern drawn to unlock the device (See the
>> “Smudge Attacks on Smartphone Touch Screens” paper.)
>> More here:
>> https://guardianproject.info/2012/01/04/strong-mobile-passwords-with-yubikey-usb-token/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120114/56040b50/attachment.htm>

More information about the Guardian-dev mailing list