Thursday, November 26, 2009

Low cost computer security device to replace passwords

Greetings from the famous room N101 at the School of Computer Science at ANU. Bob Edwards is presenting on "Yubikey Authentication in a Mid-sized Organisation". This is a preview of paper for Linux Conference of Australia 2010 (LCA2010) in January.

The Yubikey is a low cost ($10) security token designed to replace passwords for computer access. It is a small USB unit designed to be attached to a key ring and inserted into a computer when access is needed. The device generates a 44 character pseudo random number when a button on the unit is pressed. It emulates a keyboard to send the number to an application. The device uses AES-128 bit encryption.

One use which has been poposed is Yubikey identifying airline pilots on the U.S. Department of Homeland Security Transportation Security Administration blog.

Yubikey provide an online authentication server, which can be used. However, as Bob points out, this requires you to trust the security and reliability of Yubikey's system. Yubico allow for the device to be reprogrammed with a new 128 bit key so that an organisation can run its own authentication server.

One limitation of the device is that it has no internal battery and so cannot keep track of time. As a result the tokens generated never expire. Also as with any token, it must be kept physically secure. If left in a computer (as happens with sensitive devices), it will provide access for the next person who happens along (although an additional user entered id and password could be used).

Other limitations of the device are that it requires a USB port. Allowing USB devices to emulate a keyboard creates a security problem, but if disabled would stop the Yubikey working. Also, because it emulates a keyboard, any application on the host computer can read random numbers generated by the Yubikey.

One option which might be interesting for Yubico to make a credit card sized Yubikey. This would have sufficient space to overprint as identity card and have a conventional magnetic stripe. This could then be used with existing standard identity card printers and magnetic stripe security systems for student and staff ID cards. There are a number of designs available which have a USB interface on the edge of the card, or in a flexible cutout or with a folding card. These may seem cumbersome and subject to failure, but I have had a SanDisk Ultra SD Card for some years, which folds in the middle to covert to a USB drive.

Yubico might like to market the devices for green ICT power saving. The host computers could be programmed to switch to low power mode unit the device is inserted. It could also be used with thin client devices where the user's application run on a server. When the device was inserted in a different client, the applications would be restored as they were when suspended.
The Swedish company Yubico manufacture the Yubikey One-Time-Password (OTP) USB device and have released all protocol and other relevant details which makes the Yubikey particularly attractive as a low-cost and non-vendor-lock-in authentication solution.

Bob will demonstrate the Yubikey for the purposes of secure authentication on untrusted end-user systems (eg. PCs at an Internet Cafe or a friends house etc.) and will discuss some of the advantages as well as some of the weaknesses of the Yubikey system. He will then go on to describe the development of an authentication server written in C and based on a PostgreSQL database and implementing LDAP and other authentication protocols. This will include some technical details of how to use the APIs for connection to the database, parsing the ASN1 LDAP queries, dealing with denial-of-service attacks etc. He will also discuss some of the code he has written to implement the Yubikey protocol on devices with no USB port (eg. a PDA or mobile phone etc.).

This talk is a prelude to a paper Bob will present at the Linux Conference of Australia in 2010 (LCA2010) in Wellington, NZ in January.

Bob Edwards is the Chief IT Officer in the School of Computer Science at the ANU. He also teaches into the Computer Networks course and the Free and Open Source Software Development (FOSSD) course, amongst others.

From: Yubikey Authentication in a Mid-sized Organisation, ANU 2009

No comments: