Yubikey and my desire to beat the Feds to HSPD12 Compliance

During my Air Force days I was involved with the roll-out of the “CAC” for Air Mobility Command at MacDill. No one could understand why the military would put so much time and money into giving all personnel new ID Cards and equipping machines with readers that did nothing at that point. The main feature back then was that when you removed your CAC your machine would automatically lock. Well, that or you would just leave your CAC at work and need to call a coworker to come retrieve you from the gate. What I failed to understand back then was that Multi-factor Authentication (MFA) was something fundamentally needed for our nations and armed forces security. This should have been apparent and clear to me as I scattered around some of the bases most secure locations to find mission essential passwords affixed to stickies on the monitor.

DoD was playing major league ball and way ahead of the curve (single sports reference this post) while the rest of the federal govt. sat on the sidelines. Homeland Security Presidential Directive 12 tried to fix this situation by mandating CAC or MFA usage for all federal agencies in 2004. Note that the year is 2010 and I will not call out anyone, but this is still not fully implemented.

Where does that leave us consumers? Complex passwords are no longer a guarantee with the services we use storing them in weak methods. Much like the sticky note hanging above the keyboard, the security you use is only as good as the storage. Why not take the password out of the loop? This was where I was at a few weeks ago as I began researching solutions. My requirements were:

1. Open Solution
2. Compatible with Mac/Linux/Windows/*BSD
3. Does not require special hardware IE SmartCard reader, RFID, etc.
4. Not tied to a single vendor

I landed with the RFID enabled Yubikey which cost me a total of 35.00 USD. I sprung for the RFID enabled version so I could begin integrating it with NFC components, but for now only using it as the basic version. So what is a Yubikey? Basically it is a keyboard on a stick that is programmed to generate a OTP. Here is the output of what happens when I click the button:

cccccccfgihevjtgrefvftjufjgurunnvvcjjcfdfifk

_

_

PCMag gave a great description:

The $25 YubiKey is a tough little chunk of plastic with USB connectors on one end and a touch-sensitive (no moving parts) button on top. Each time you touch the button it sends a static password and a dynamically-generated one-time password to any application that’s listening for its input. If a spy program captures the password, so what – that particular one-time password won’t be valid ever again. Others seem to think this is a good idea; Yubico is a finalist for “Most Innovative Company” at the RSA conference

After a quick shipment the device was in my hands and I quickly started integrating it into my home architecture. Due to the hacker friendly nature of their API, it has many plugins and applications enabled to work out of the box. The ones I installed right away:

• LastPass
• WordPress Admin Protection
• OpenID Support
• Linux PAM Module – SSH Access
• OpenBSD Server Access

With OpenID you can login into Facebook, Google Apps, and others which is a huge benefit for online websites. The onus is then put on the OpenID provider to perform the multifactor authentication rather than Gawker and the likes. So you are ready to run out and buy one right? Sounds like the most secure thing for the home user, right? Well I have my doubts.

Earlier in this post I outlined how I was placing the onus on the OpenID provider and OTP scheme from Yubi. In essence I have now put my trust in a company and their security perimeter. How do I know that their architecture is well protected? What security testing has been done to ensure their device complies with the security I hold so dear? Their AES algorithm is not found on the list of FIPS validated modules. The Yubikey itself is not certified for any FIPS/DISA/DoD/NSA testing and therefore in my world it is non-usable outside the home. I would recommend this wholeheartedly to small business and personal security users, but it will never find its way into the govt. without these groups certifying they have their stuff together.

It comes down to hearing people argue with me at work about not wanting to move to the cloud since it isn’t as available or that their data is outside their control. This is the same group that is running single points of failure in their core and have never tested their backups, so it makes you feel comfortable to throw darts. At the end of the day this token+good password selection is enough to keep you out of trouble. It isn’t the most secure option, but it is easy to use and hacker (not cracker) friendly.

Pros:

• Small and rugged device, no moving parts

• Easy to Use

• If your OS supports USB keyboards, it works

• Cheap

• Geek Friendly

• Integrates into Active Directory, PAM, and other OS level authentication mechanisms

Cons:

– Left with this uneasy feeling that I am screwed if its lost; installing my own little back-doors places

– USB keyboard means nothing when you are on your phone. Only works with full-PC devices, not phones or tablets

– Lack of formal security certification**

**