Jump to content

YubiKey

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by ArnoldReinhold (talk | contribs) at 20:48, 8 November 2017 (→‎Security-concerns YubiKey 4 (closed-source code): link ROCA). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

File:YubiKey-4-keychain-and-YubiKey-4-Nano.png
YubiKey 4 and YubiKey 4 Nano USB devices.

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol[1] developed by the FIDO Alliance (FIDO U2F). It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords.[2] Facebook uses YubiKey for employee credentials,[3] and Google supports it for both employees and users.[4][5] Some password managers support YubiKey.[6][7]

The Yubikey implements the HMAC-based One-time Password Algorithm (HOTP) and the Time-based One-time Password Algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol. The YubiKey NEO and YubiKey 4 include protocols such as OpenPGP card using 2048-bit RSA and elliptical curve cryptography (ECC) p256 and p384, Near Field Communication (NFC), and FIDO U2F. The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world. The 4th generation YubiKey launched on November 16, 2015. It has support for OpenPGP with 4096-bit RSA keys, and PKCS#11 support for PIV smart cards, a feature that allows for code signing of Docker images.[8][9]

Founded in 2007 by CEO Stina Ehrensvärd, Yubico is a private company with offices in Palo Alto, Seattle, and Stockholm.[10] Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F).[11]

History

At CES 2017, YubiKey announced the YubiKey 4C as a new USB-C design. The YubiKey 4C was released on February 13, 2017.[12] On Android OS over the USB-C connection, only the one-time password feature is supported by the Android OS and YubiKey, with other features not currently supported including Universal 2nd Factor (U2F).[13]

ModHex

The YubiKey emits passwords in a modified hexadecimal alphabet, which is designed to be as independent of system keyboard settings as possible. This alphabet, referred to as ModHex or Modified Hexadecimal, consists of the characters cbdefghijklnrtuv, corresponding to the hexadecimal digits 0123456789abcdef.[14]

Security-concerns YubiKey 4 (closed-source code)

Yubico has replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws.[15] Yubico states that internal and external review of their code is done. Yubikey NEOs are still using open-source code.[16] On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post [17] affirming the company's strong open source support and addressing the reasons and benefits of updates to the YubiKey 4.

In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key.[18][19] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[20] Yubico publicized a tool to check if a Yubikey is affected and replaces affected tokens for free.[21]

List of supported services/platforms

See also

References

  1. ^ "Specifications Overview". FIDO Alliance. Retrieved 4 December 2015.
  2. ^ "What Is A Yubikey". Yubico. Retrieved 7 November 2014.
  3. ^ McMillan (3 October 2013). "Facebook Pushes Passwords One Step Closer to Death". Wired. Retrieved 7 November 2014.
  4. ^ Diallo, Amadou (30 November 2013). "Google Wants To Make Your Passwords Obsolete". Forbes. Retrieved 15 November 2014.
  5. ^ Blackman, Andrew (15 September 2013). "Say Goodbye to the Password". The Wall Street Journal. Retrieved 15 November 2014.
  6. ^ "YubiKey Authentication". LastPass. Retrieved 15 November 2014.
  7. ^ "KeePass & YubiKey". KeePass. Retrieved 15 November 2014.
  8. ^ "Launching The 4th Generation YubiKey". Yubico. Retrieved 20 November 2015.
  9. ^ "With a Touch, Yubico, Docker Revolutionize Code Signing". Yubico. Retrieved 20 November 2015.
  10. ^ "The Team". Yubico. Retrieved 12 September 2015.
  11. ^ "History of FIDO". FIDO Alliance. Retrieved 16 March 2017.
  12. ^ "NEW YubiKey 4C featuring USB-C revealed at CES 2017 | Yubico". Yubico. 2017-01-05. Retrieved 2017-09-14.
  13. ^ "Can the YubiKey 4C be plugged directly into Android phones or tablets with USB-C ports? | Yubico". Yubico. Retrieved 2017-09-14.
  14. ^ E, Jakob (12 June 2008). "Modhex - why and what is it?". Yubico. Retrieved 6 November 2016.
  15. ^ Ryabitsev, Konstantin. "I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all ..." Google+. Retrieved 12 November 2016.
  16. ^ "dainnilsson commented on 11 May". Github. Retrieved 12 November 2016.
  17. ^ "Secure Hardware vs. Open Source". Yubico.com. Retrieved 16 March 2017.
  18. ^ "ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]". crocs.fi.muni.cz. Retrieved 2017-10-19.
  19. ^ "NVD - CVE-2017-15361". nvd.nist.gov. Retrieved 2017-10-19.
  20. ^ "Infineon RSA Key Generation Issue - Customer Portal". www.yubico.com. Retrieved 2017-10-19.
  21. ^ "Infineon RSA Key Generation Issue - Customer Portal". www.yubico.com. Retrieved 2017-10-19.

External links


Stub icon

This security software article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=YubiKey&oldid=809393963"