Introduction to YubiKeys (in openSUSE)
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 40 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/54409 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
openSUSE Conference 201928 / 40
7
11
12
13
15
16
17
18
19
20
23
25
26
27
34
38
40
00:00
Source codeToken ringLink (knot theory)Computer hardwareCASE <Informatik>Instance (computer science)Demo (music)Point (geometry)PasswordService (economics)WebsiteInternetworkingProduct (business)Standard deviationDifferent (Kate Ryan album)Mixture modelLevel (video gaming)Expert systemDirectory serviceKeyboard shortcutNumbering schemeData managementCommunications protocolMultiplication signComputer configurationNational Institute of Standards and TechnologyRandomizationSolid geometrySocial classString (computer science)Category of beingAuthenticationNeuroinformatikPairwise comparisonToken ringInformation securitySmartphonePhysical systemOrder (biology)Identity managementProcess (computing)BitCartesian coordinate systemCryptographyBounded variationTerm (mathematics)Asynchronous Transfer ModeTouch typingWeb 2.0Key (cryptography)Software developerWeb pageInternet service providerCondition numberPower (physics)MereologyMusical ensembleElement (mathematics)Division (mathematics)Connected spaceFactory (trading post)Message passingLecture/Conference
09:20
IRIS-THill differential equation1 (number)Interface (computing)Instance (computer science)Web 2.0PasswordCASE <Informatik>Key (cryptography)Connectivity (graph theory)Android (robot)Cartesian coordinate systemOpen setPhysical systemDirection (geometry)MereologyInteractive televisionSmartphonePlastikkarteInheritance (object-oriented programming)Computer configuration2 (number)Service (economics)Connected spaceAttribute grammarFormal languageInternet service providerToken ringOrder (biology)Multiplication signSoftwareAsynchronous Transfer ModeBefehlsprozessorDifferent (Kate Ryan album)Integrated development environmentPublic key certificateCoprocessorModule (mathematics)Data managementResultantTheory of relativityBitVisualization (computer graphics)Scaling (geometry)Formal verificationAuthenticationServer (computing)InformationCodeHexagonType theoryDevice driverKeyboard shortcutCase moddingFunctional (mathematics)String (computer science)EmailCuboidDivisorRoutingComputer hardwareIdentity managementDatabase transactionComplex (psychology)Set (mathematics)State of matterMusical ensembleMatching (graph theory)Social classZirkulation <Strömungsmechanik>Line (geometry)Lecture/Conference
18:35
PasswordWordStudent's t-testFood energyMusical ensembleDevice driverFamilyAuthorizationStandard deviationMultiplication signAdditionProduct (business)Physical systemSoftware testingMessage passingBit rateMereologyTime zoneSoftwareService (economics)HTTP cookieWeb browserSpywareComputer fileKey (cryptography)Scaling (geometry)Internet service providerComputer programmingWeb 2.0PasswordWeb pageInternetworkingQR codePublic-key cryptographyConnected spaceLaptopCartesian coordinate systemString (computer science)Configuration space2 (number)Token ringDivisorAsynchronous Transfer ModeServer (computing)Instance (computer science)InformationComputer hardwareComputer configurationEndliche ModelltheorieAuthenticationCodeCodeTouch typingModule (mathematics)Numbering schemeBitTelecommunicationClient (computing)Electronic mailing listInformation securityDefault (computer science)Different (Kate Ryan album)Graphical user interfaceModul <Datentyp>TheoryTerm (mathematics)Parameter (computer programming)Order (biology)DemosceneCASE <Informatik>Direction (geometry)Lecture/Conference
27:49
Uniform resource locatorPoint (geometry)WebsiteAndroid (robot)Computing platformDifferent (Kate Ryan album)Data storage deviceUniqueness quantificationObservational studyDegree (graph theory)Service (economics)Web 2.0Hard disk driveCache (computing)PlastikkartePublic-key cryptographyElectric generatorWeb serviceCryptographyKey (cryptography)Scaling (geometry)Web browserMobile WebHost Identity Protocol1 (number)Multiplication signData managementPasswordDependent and independent variablesBitRandomizationCurveType theoryLevel (video gaming)Order (biology)EncryptionINTEGRALInternet service providerIntegrated development environmentEmailInformationComputer hardwareVariable (mathematics)Computer configurationView (database)CuboidAuthenticationInstance (computer science)AuthorizationSign (mathematics)Asynchronous Transfer ModePerspective (visual)Open setMusical ensembleCodecSoftware developerAreaRight angleAxiom of choiceFluid staticsDynamical systemSpeciesStrategy gameMereologyComputer programmingEvent horizonComputer animationLecture/Conference
37:03
Musical ensembleWebsiteVolume (thermodynamics)Level (video gaming)Social classMobile appGame theoryKey (cryptography)Identity managementUniqueness quantificationPlastikkarteEntropie <Informationstheorie>Validity (statistics)Public-key cryptographyTerm (mathematics)Computer configurationComputer filePasswordInternet service providerPublic key certificateOpen setConfiguration spaceService (economics)QuicksortLatent heatInformationPhysical systemPosition operatorStandard deviationEndliche ModelltheorieMultiplication signInformation securityPersonal identification numberParameter (computer programming)Web 2.0Group actionAsynchronous Transfer ModeComputer animationLecture/Conference
46:18
Videoconferencing
Transcript: English(auto-generated)
00:06
So, hi, my name is Carl Waggel, I'm working for SUSE, and I will talk about UBTs. It will only be a very high-level introduction, and you don't get to hear any deep philosophical topics or something like that.
00:22
In case you don't even know what UBTs are about, this is a picture of some of them. So, there are also the little USB tokens that you can buy, and mostly use via USB, or there are also other options. And you can interact with them by pressing a button, and with certain applications, magic will happen.
00:42
And this talk is about some of the magic they could use. To sum up about me, so basically, like all of us, I'm an open-source interest. I work for SUSE, because I'm a UBT engineer right now on the infrastructure team, so I'm in touch with this UBT, and I'm also using it every day in the day-to-day work.
01:02
I mean, somehow I'm learning how to love cryptographic stuff, and authentication, IT security, those kinds of topics. And I also maintain some of the UBT, or with other people, I maintain the UBT packages in OpenSUSE, and SUSE without SUSE products, and also in Archthings. So, the agenda for today is something like this. I will talk a little bit
01:24
about authentication in general, and I will tell you why we actually need something else, password, because passwords have certain kinds of problems, and hardware tokens can help with that. And then I will go quickly through the modes that UBT made, so there are different
01:41
modes that UBT supports, and we will talk about some of them on a high level. There is a workshop scheduled for tomorrow, where we can go into all of the details and how to actually set this up. But today it's really about, from a user's point of view, how am I supposed to use this, and not about the technical details and the configuration aspect.
02:01
And I also plan for some demo time and Q&A in the end. So, in case you want to read up on this right now, or after the talk, there are a bunch of links for the users themselves. This is probably the most interesting to you. It's the website of UbiKey, or UbiCode, that's the vendor of UbiKeys.
02:23
And they have a lot of resources, and they explain in very detailed what kind of products they have, and how different modes actually work. There is also the site toggle-off.info, where you can find out which service providers right now are supporting what kind of tokens. So you can find out where you can actually use those tokens.
02:42
And there is another page 2 factor, which is doing the similar thing. If you are a developer and you want to find out more on how to develop applications and enable the applications for this kind of stuff, I would recommend those resources for when you start. So, some authentication basics. Basically, everybody, every day, is doing it without even knowing it.
03:05
If you see a person and you know them, then you are basically confirming that yes, this is the person I know. With computers, it's a little bit more difficult, because everybody can sit in front of a computer and claim to be someone else. So, abstractly speaking, it's only the confirmation of an identity, or the process of confirming an identity.
03:26
This is what UbiKeys is saying about it, but it's very easy to understand. And in our context, when we are speaking about user authentication, when we are answering the question, who am I speaking with? So, whenever you speak about authentication, there is also this term authorization, and obviously there is a difference to this.
03:50
So, authentication is the answer to the question, who am I? There are some variations that refer to, that can be used when you refer to authentication.
04:01
And with authorization, we are answering the question, what am I allowed to do? And they are tightly coupled most of the times, but because basically in order to authorize something, you need to know who you are speaking to the first day. But technically, there are two different things, and there are also different protocols addressing different aspects of the system.
04:23
When we are talking about authentication, there are three things we can use to authenticate someone, and this is something you are. It's the parametric, like fingerprints, faces, face recognition, voice recognition, eye-waste scans, stuff like this. Which you probably already know from your smartphone, what you think of it, and so on.
04:43
Then there is something you know, which are basically passwords, pins, and other kinds of secrets. And there can be something that you have, that you can carry along. And that's like a physical key, so you can open a door, or also those hardware tokens or smartphones. And in our case, it's a UV key, and this is the category of something that you have.
05:03
Those different kinds of things you can combine when you are authenticating someone. And you end up with two-factor authentication, for instance, which probably all of you have heard for now. And in general, this is a multi-factor authentication. Whenever you are dealing with authentication, you always have to balance out those three aspects.
05:24
There is the security aspect, which probably most of the security engineers look at. But at least as important is the usability and deployability. So is it actually usable by normal people? And what are the costs of using and operating this stuff?
05:42
So a token of the UV key, for instance, is about $50. So obviously there is some cost to it. Whereas passwords aren't popular. So there is a lot of authentication protocols. These are just some of them. And they are all addressing different problems. And can be put on a different point on this binder that you just saw.
06:05
But in the end, basically, there is a lot of options. And there is not one really perfect solution. There is always some trade-off that you need to make. And what is actually wrong with passwords? Because there is a lot of stuff that is good about passwords.
06:20
They are easy to use, easy to implement. They are very universal. You can use them everywhere. It is easy to implement. So in the end, it is only a string comparison. And we have even some recommendations with practices from the Insta Institute, for instance. Which is telling us how long a password is supposed to be on characters. There should be different classes and so on.
06:41
So on the other hand, passwords are also challenging. And this is also something that you hear all of the time. So people are using weak passwords. They reuse the same passwords. People are being phished. So they enter the password in a place where they are not supposed to enter it. And on the other end, the people that are getting our passwords, they are breached all of the time.
07:01
They use wrong practices. So they hash them wrongly or not at all. They don't apply solids. Stuff like this. They are also very difficult to handle. Because obviously we are humans and we cannot remember a lot of random prep. So we need to use password managers or some other schemes which makes them difficult to handle.
07:21
And also no fun to enter if you have a lot of special characters with different keyboard layouts and stuff like this. It's not a lot of fun to enter them if you have to do it often. And also even if you have very strong passwords, they do not protect against a lot of attacks that are being done in the real world all of the time.
07:40
So you can still, once you know a password or however you found out, you can reuse it all of the time. So this is the kind of replay attack. It can be phished. You can remain in the middle and stuff like this. And the reality is basically a mixture of all of what I've just said. So daily breaches with billions of passwords lying around somewhere on the internet in the dark web.
08:01
There is a wrong understanding. So for years and years NIST was recommending that you need to reset your password every 90 days. And basically everybody is doing this because it's also implemented in active directories and stuff like this. And even the guy who came up with this at some point said, hey, I'm sorry, this was totally crap otherwise and it doesn't make a difference.
08:21
But we are still stuck with it. So there is even some, among the experts there is some misunderstanding. And you can also, people are always arguing, hey, we just need to train people and tell them about it. But actually there are papers from the 70s and 80s where they were saying, hey, passwords are weak. People are using weak passwords. And after 40 or 45 years of education we are still at 1, 2, 3, 4, 5, 6.
08:46
And passwords are still mostly possible in 2017 for instance. So I just want to, and one way on how to improve this is through this hardware. And this is for instance a bunch of different hardware.
09:00
In the left you can see UV keys, which this talk is about. But there are also a whole bunch of different keys of hardware that is doing a very similar thing. And FJV, U2F and Web of M, those are open standards and they are cross competitive. So we can actually use any of those keys for this particular one.
09:22
And hardware is also used in many different applications and many different other applications. Not only in the user application, the computer, but also for like when you open up your card, there is some secret cryptographic going on with online transactions and so on. And before there was, before the UV key became famous, basically it was being used a lot.
09:45
There were those hardware tokens that you physically carry along and you could press a button or they would just change the key every 30 seconds with the RSA token or something like this. And you had them to enter this key, this one time password basically,
10:00
manually enter some key next to the password or something like this. And the UV keys were basically doing a very similar thing. There are also smart cards, they can do a lot of more stuff than just one time passwords. They can be used to put certificates on there and stuff like this.
10:20
But in the end all of this is, the basic idea is that we have a very, we have a secure environment where we can do cryptography. The keys that are used there cannot be accessed easily or at all hopefully. The CPU or the processor in these tokens cannot run any command. It's very closed down, you cannot update it for instance.
10:42
And there is, the goal is basically to make it difficult to hack and clone those devices. And the interfaces and so on, they are very small and there is not a lot of interaction that you can do. So you cannot do a whole thing, I'm not able to make those things. This is the picture you see in the beginning.
11:02
So a lot of the, it's basically now begins the UV key specific part. And they are very intuitive to use. So the only direction that UV key allows basically is to touch it. It's a short and a long option, so you can either touch it for I think less than half of a second.
11:22
And it is the shorter option, there is another option where you can press it longer and it will use a different slot. But that's it basically. And it's also very similar, we won't explain this to your parents for instance. This is very similar to a physical key, you have to carry it along. When you locate it at home, you cannot log in. But the nice thing about it is that it cannot be easily cloned and somebody has to physically steal it for instance if he wants to pretend to.
11:47
So it requires physical possession. The newer models, they have different interfaces. So USB is probably the easiest one to use. But there is also NFC and Bluetooth Low Energy. And the mobile platforms, those are the ones that you want to look into.
12:03
The UV key in general, all of them, they support several different modes. And this allows different use cases. So it's not only this one time password thing I was talking about. But there is also a web of Android U2F component here, which is for authentication. Which I will tell you a little more about.
12:22
But there is also like the OpenPGP applet on there. So you can use it as a smart card or PPG. You can use a prosthetic password, so you can program it in a very complex password. And whenever you press the button, you just spit out this complex password. And there is also more advanced stuff like, it's called TIL, where you can actually manage identities and certificates.
12:45
Only it just pretends to be a smart card, just like this for instance. And with big enterprises, you usually in the password get such a smart card and you would have to plug it into your computer. And this will then do some authentication.
13:02
And the UV keys can do the same things, but it's much smaller and much nicer contactor. As you can see, there is a lot of different applications in there basically. And there is different configuration sets. So actually this is quite a complex device, but for users it's very easy to take with.
13:23
So let's start with one time passwords. We were already talking about them with the other Apple tokens. And the basic idea behind one time passwords is that you have a password that is only very short lived. It can be used only once or for a short period of time.
13:42
And this is used as an additional factor. So you have to provide an actual password. And then you are asked for another one time password. And there are a lot of different ways you can do this. And different vendors and different service providers choose different routes here. So there are Apple tokens like the RSA one I was talking about.
14:03
You can have applications on your smart phone. You can use smart cards. You get a ton, which is a little bit more secure, but pretty much the same idea. You can get it via SMS or a text message. Some service providers will send you an email whenever you try to log in. And of course you can use the Yubikey.
14:24
Actually the Yubikey supports several modes for one time passwords. So the first one is the Yubico OTP. This one was basically what started Yubikey. So back in 2007 or so they created this little device.
14:41
And it would just spit out random crap when you ever press it. And the idea was that it is a USB device, so it will be emulating a keyboard. And you don't need any drivers support or anything. You can just type in some letters whenever you press the button. And the service provider, when receiving this string of characters, can then verify the function password.
15:06
So it just looks something like this. If you press it multiple times, it will spit out these random characters. This doesn't have a meaning for us, but actually this is encoded information. So this Yubico refers to this mod hex.
15:21
It's not really hex because they also... It's a little bit more complicated because they want to make sure that it's working on all platforms. So they can only use certain key codes and not all characters basically. But in the end, there's information. And what this information contains is, on the one hand, a specific ID for this Yubikey.
15:42
So basically the prefix or some characters in the beginning are a Yubikey ID. And the other stuff is the actual one-time password which is encrypted with a password that only the service provider... or in this case even Yubico knows. And as a service provider, you can ask the Yubico server because you will send this one-time password to a Yubico server.
16:05
They also have this key that's burned into your Yubikey key and then they can verify. And there's also a counter for visual protection. The nice thing about this was that it comes pre-configured. You buy this thing from Amazon, put it in the USB slot and it just works.
16:21
It's based on a shared secret and it was a third party which is the Yubico. So you can host this for yourself, but this is a little bit more complicated and most people don't choose to do so. So you at least have to... there's some trust relation with Yubico because you have to trust the result. You let Yubico... so Yubico is doing the verification for you, so you're again trusting them.
16:44
And the nice thing about this is that it scales very well for users because you can use it with any service provider that supports this. And there's not anything that you need to take into account, you just press the button. In OpenZoom, for instance, it works out of the box because it's just a USB hitch device.
17:03
There's an application, it's called Yubikey Manager. You can use this for some... you can manage some aspects of it and swap these slots, for instance. So you can either choose to do a short press or a long press. And you can also use this with a pen module which is called penYubico. You can use this for local authentication.
17:22
So you can use the Yubikey to authenticate against the system. So in order to log into the system, you not only have to provide a password, but also some of the right Yubikey. The drawbacks are unfortunately that not a lot of service providers pick up on this.
17:40
There's only a limited number of them. And also this requires network connectivity. So the service provider needs some connection to Yubikey to verify it. If something breaks, there's an authentication language which is an enormous attribute of the system. There are other kinds of one-time passwords. These are probably more familiar with.
18:00
Usually referred to as O. This is an open alliance for authentication and standardizing on those one-time passwords. There are two kinds of one-time passwords. In this category, either time-based, which is DOTP, or HOTP, which is event-based. So basically you can choose what you want here. It both has advantages and disadvantages.
18:22
The Yubikey, for instance, the event-based one, the HOTP, it works just like before. You press the button and it just spits out this key with the time one. You need an additional application because the Yubikey itself does not have a clock. So you need to have some support from the operator, from the host computer, from the host system, which will take time to the Yubikey.
18:47
Then usually you will just end up with six-digit code. So, for instance, if you are familiar with Google Authenticator or 3OTP or something like this, the standard is the same. So all of them will generate the same codes.
19:02
And then you can enter those codes manually or with the Yubikey with 2OTP. And this scheme is also based on a shared secret. So this time there is no network connectivity required because the shared secret is on the Yubikey and the service provider has it. So you don't need the third party. But it requires some initial configuration.
19:21
So before you can use it with any service provider, you have to set it up and share the secret actually. And this is easy to do fast, but not for everyone else. And also with these one-time passwords you can only use it as an additional factor. Because you have only the six-digit code, but you don't know who it belongs to. So before you can actually verify it to use it as to provide its user name.
19:45
And ideally it also has plus mode already, so you can use it as a second factor. But if someone just gives you this code, then you don't know who it is. With the Yubikey or 3OTP before, there is a prefix which will tell you which user it is actually.
20:00
But here there are no third parties in the world. You can also use an open user. It's supported out of the box, but as I said, it requires some initial configuration. So you need to configure it. So even the service provider will tell you a secret with Yubikey. You will require some QR code that you scan with your preventing data, for instance. But encoded within this QR code is information that you can also run in Yubikey.
20:25
And once again, with Yubikey Manager, you can configure all of this. And with PEM Yubico, you can also use it for local authentication. So once again, you can use this to authenticate against your system. Now you don't need any internet or network connectivity.
20:40
So you can use this basically without requiring your laptop to have a network connectivity. But the drawing example is an initial setup. As I said, it's very impossible to copy-paste a string into this application. The application will run into the Yubikey. But for other target audiences, this might not work out.
21:04
And also it scales very badly. So technically I would need, I don't want to share the same secret with other service providers. So I would need a shared secret with every service provider. Unfortunately, Yubikey only has two slots. So it can, at the maximum, use this Yubikey.
21:20
Or one Yubikey only has two service providers. So you can imagine that this doesn't work out in the internet. Or you have hundreds of accounts. And on top of that, just in general, this applies to all one-time passwords. There's a bunch of problems. So they increase the security quite a bit actually. Where you just simply see the password doesn't work anymore.
21:42
And it also has a cool touch to it. So it feels like launching rockets and you have to look up some code or something. But they also don't solve a lot of problems. Because in the end, what happens in reality is that people are not only using their passwords. But they also do other stuff.
22:02
So like putting the password into the wrong webpage. And if they fall for this, then they will also enter the one-time password. And then it can be used by many, many friends. Instead of hijack sessions, browser sessions are something that you get a hold of the cookie. And in the end, it's also based on shared secrets.
22:21
So if the service provider has to store it somewhere, it can use it. So all of this is not really helping. And the most important thing is that it scales very badly. So as I've said, you would need basically dozens of UV keys if you wanted to do it right. You just have to sit up and do it right.
22:42
What's more interesting is where they try to do it right is the v2.app file. It's a web program. Historically speaking, the v2.app came first and then the others under-evolved out of that. And those are now using public key cryptography. Now it begins to get interesting because you will have different keys for different service providers and not the same key anymore.
23:05
This scales very well for users. So you can use the same key with a whole bunch of service providers and that's not a problem anymore. So standards are mostly focusing on user authentication direct. So it's difficult or not as straightforward to use it for anything other than web authentication.
23:24
And the reason at least is to get rid of passwords altogether. So sometimes also we call this password-less time or age. So if you do it with the 502, there are several modes where you don't need any password. You just need the key.
23:43
And here the basic idea with all of three of those, because I won't have time to go into the details, is that you have an authenticator, which is the UV key in our case. This could in theory also be implemented in software. And also you have support in the browser. And the browser is now talking to the service provider. And on the one end and on the other end, it's talking to the authenticator.
24:04
Kind of relaying messages between the two parties. So UDF was developed and started in 2012. Now it's technically the correct term as the FIDO-U2F. Because it was donated to the FIDO Alliance. And out of all of this came Web-of-N.
24:24
In layman's terms, it's the modularization of U2F. So this one aspect is server-to-client communication. This is happening between the browser and the server. This is Web-of-N. And then there is this client authenticator communication protocol. This is the communication between the browser and the authenticator.
24:44
And this was split up basically. And all of this together is referred to as FIDO-U2. But here we are going to use this synonymously. Because we don't have time to go into details. And it's a little bit more complicated than this. But with all three of them, you have this terminology.
25:01
So usually you have the server, which is referred to as relying party. It generates and delivers some JavaScript code. This JavaScript code is then executed by the browser. And it will then basically the JavaScript code will tell the browser, hey, get in touch with the authenticator. And the authenticator is just an accurate model.
25:22
It can be implemented in many different ways. But the most straightforward way and one of the more secure ways to do it is the UTP. It can also be done in software. Or you can use maybe TPM modules or something that is more secure. But we are focusing on the hardware tokens here. And basically there are only two kinds of server monies.
25:44
So before you can use this with any service provider, you have to register in UTP. So somewhere, once you are logged in with using the password these days, you get into the options. And somewhere you can tell them, hey, I want to register UTP. So then you will find the hardware token.
26:01
And it will ask you. And then it will talk to your browser. And your browser will then ask you to enter your token and press the button. And there is the second server monie, which is the authentication. And here you already registered previously with the service provider. So the service provider already has the key. And you can then sign a challenge.
26:22
That's what's going on behind the scenes in order to authenticate. This is basically the complex or the technical overview of what's going on with some of the JavaScript API and what arguments there are. But this is only interesting for developers, for users.
26:40
The user experience is really easy. So we serve the web just as usually, just as you are used to. And at some point, when your browser asks you to touch the button in UTP, you do so. So there is nothing, basically there is nothing for you to really do, besides sticking in the UTP and touching the button.
27:01
All of this is also working in OpenSUSE already. So it actually works with any modern browser, so Firefox Chrome and so on. With Firefox, there is this one configuration you might have to enable. I'm not sure what the default is by now. Like a year ago, it was not enabled by default.
27:20
As far as I remember, they wanted to enable it at some point. I'm not sure if they already did so. And with the UTP manager, you can actually only turn off or turn on this mode. But you cannot do any more than that. Then there is the list of browsers that are supporting this. For us, it's Chrome and Firefox.
27:42
And the nice thing about this, this was a basic idea, this was kind of innovative back then, is that there is an individual keypad. So the public keypad property, you always have keypads. And you don't want to reuse the same keypad, because then you affect basically the same problem.
28:01
And with using different keypads, you are not traceable. It's a little bit more complicated, but it's using the curve cryptography, so you can use any random bit pattern, actually. So what's going on on a high level is you take the device secret, you take the URL of the website, you hash this together,
28:21
and this is your keypad, your private keypad. From this, you can derive the public key, which you send to the service provider. And actually, the Yubikey is not safe in any of those keys. It can just regenerate them whenever it needs them. So there is not a lot of storage on those Yubikeys, and cryptographically secure storage is expensive.
28:40
So this is the nice aspect. It stays well without requiring a lot of storage. And this is what's going on cryptographically. But once again, the only interesting thing is that it takes the URL into account and a device-specific secret, which is specific to each device. So every device, every Yubikey you buy,
29:02
takes a different secret from the Yubikey. And therefore, it will generate different private keys and public keys. And you have the web browser in the middle, and the web service in the end, and all of them are communicated with each other. And because we have this URL built into the scheme,
29:21
so there is phishing protection within. If the website changes, if you fiddle around with the URL, and replace a zero with an O or something like this, stuff that is going on, and people fall for, it will no longer work, because the cache will be completely different, even though it looks very similar for the human eye.
29:41
And also, this scales very well, because we don't have to save anything here. You just press the button, and in the background, the magic is happening with different individual key pairs for each service. And because we have those different individual key pairs, we're also not traceable. So even if I use the same key between different service providers,
30:01
somebody looking at all of this, cannot tell that it's the same key. And also a nice aspect is that the service provider has only public keys, which are kind of useless. You cannot derive anything from that. And then there's another mode. So another mode, basically you're switching topics again,
30:23
and I have to ask about this, I'm sorry. But there's this OpenPGP smart card that you can use. So OpenPGP, probably most of you already know, it's mostly used for email encryption, and also for package signing. So when you're downloading packages from SQL, OpenPGP is working behind the scenes,
30:42
and it's verifying the integrity of the packages. But for a lot of people, so you can use the YubiKey for this kind of thing, so you can put your keys on the YubiKey and then use it for encryption. So in order to decrypt any mail, you have to plug in the YubiKey into the computer,
31:02
and only then the email can be decrypted. That's already nice, but what's even nicer is that you can actually use PGP as an SSH agent, and then you can actually use the YubiKey for SSH authentication. So you can put a SSH and RSA key on the YubiKey, and this can be used for SSH authentication.
31:23
And all of this is also in OpenSUSE and supported out of the box. You only need this GPG2 package, which probably is even installed by default. It requires some special setup, you need to enable the SSH agent within GPG, and also you have to set some environment variables. But once this is done, you only need to do this once,
31:43
and then you can just use your SSH command, as you're used to with SSH, and then you can log into systems, and then you will actually use the YubiKey, and then you unplug the YubiKey, and then all over the world. And the nice thing about this is that the keys are stored in hardware once again,
32:00
and when you use the YubiKey, so basically the smart card, the YubiKey is protected with a pin, so whenever you are using it, you have to unlock it with the pin, and when you lose it or something, then nobody else, it cannot be used for it, because after a failed attempt, it will block itself and then only unlock it with a hook, and when you enter this one three times wrongly,
32:24
then it will just reset itself or block completely, and you cannot really use it anymore. So there is some, it's more secure than just putting your keys on an hard drive and hoping that nobody will ever access it. Because even if it's encrypted on the hard drive, you can still do it for a second.
32:41
And actually there are many other use cases, so these were probably the most easy ones to use, so there is this whole hip aspect to it, but this is more or less only interesting for enterprises, and it's a little bit more complicated to roll out and manage. And there is also a challenge response mode, this can be used with password managers for instance,
33:03
because this shared secret approach is not really working well, you can use it with static passwords, so you're telling the unique key to just spit out a random password, it's a static password, but it can be very complicated, so you don't have to type it in manually, and you can also use it via Bluetooth and NFC
33:21
for mobile platforms with Android and other things like that. And if you want to know any more details, now as I've said in the workshop, the idea is to set all of this up, what I was talking about, and also there is a lot of resources in the internet, so basically developers.ubicode.com site is a really great portal,
33:44
and a good starting point for any expeditions that you want to take. If you're interested in more interesting to apply it to a web of N, because it was very high level, and I actually simplified it to a degree where it's kind of wrong, but I did a talk at the Chemex Amiga study about it,
34:04
and I go through some of the details in the history. So in summary, passwords by itself are kind of insecure, and unique keys are very easy to use, and can increase the security, so everyone should use them. The support is quite good in Open Studio,
34:21
so there is no reason to not use it. And now we are coming to the perspective and aspect of this. So there is also on this Umicore,
34:41
as I've said this is the Umicore resource available, for instance you can validate, so they have a bunch of different demonstration sites, and the easiest one to use is this Umicore OP, that was the first one I was talking to, and here is my Umicore,
35:01
so now we have to just enter those keys, or the browser doesn't need anything, but the service provider can actually decode this, and other information in there, and you can use this to tell if it's the right user, if the user has the right Umicore. So this is one thing that you can use here,
35:24
the more interesting thing, and more than one is the FIDO, so we need to add in FIDO stuff, so as I've said with FIDO and Umicore, there are these two steps basically,
35:41
in the first step we have to register the UB key, so this is where you have to log in to the author of your service provider, and you have to tell them about the service key, but this is only a simple view use case, so there is not a lot of fancy other authentication going on, but essentially there is a button, now my browser is executing JavaScript here,
36:03
and this dialogue is coming from the browser, and it is now asking me, telling me hey this website wants to use the authenticator, do you agree? So I can press continue here, and because I simplified so much,
36:20
there is an option to stay anonymous, or to actually also set up a destination certificate, which will tell the service provider what kind of UB key I have, which could then in turn be used for tracking, so I can either choose to do so or not, as a method here, and now I'm asked by the browser to put my finger on the UB key,
36:41
it's also blinking, but this one you can't see from the background, and I just press this button now, and once again in the background a lot of stuff is going on, and you can check this here, this is all of the information that is exchanged between the browser, the UB key, and the service provider, you need to understand something about cryptography
37:00
in order to make sense of this, but essentially all of this is sufficient to authenticate myself, it's very easy, you don't have to understand all of this technical stuff, you only press the button basically, and once I registered my UB key, I can also, okay there is even more information I can check out here, but the second step is actually to authenticate myself,
37:25
so I've now registered this device, the service provider, the service provider knows about it, so the next time I come along I will authenticate, and once again this is only a demo, so I have to press the next button here, but actually it looks the very same way, now I'm not being asked if I want to stay anonymous anymore,
37:43
I've just been shown this dialogue here, I press the button, and I'm successfully authenticated, and this is way easier to use than any password and stuff like this, and it's also way more secure, so this is very nice, and one more thing,
38:07
one more demonstration behind this one,
38:23
so you probably, yeah, so basically I have a bunch of files lying around here, so I can use those SSH private keys and public keys, and usually you probably all know how to use them to authenticate against the server,
38:41
you can just specify the dash i option on the command line, or you can set up your SSH configuration to use them, what's more advanced is to use the SSH agent, so there is something like this, there is an SSH agent, this is also coming with the open SSH package, and if you do something like this here,
39:03
you now have an agent running, and you can communicate with this agent with this SSH dash add command, and you can now add those identities there, so what you can basically do is to take this key on the hardware, add it to the agent, and then it can be reinstalled along, and you don't have to decrypt it also,
39:22
this is more convenient, but what's even more secure is to use GPG as an SSH agent, so you basically have to get rid of all of this, so I have my setup variable here in a specific way,
39:41
and in the end I end up talking to the GPG agent instead of the SSH agent, and here you can see the card number, this is my SSH key lying around on the new key, now I can use this key just like any other key, I will install it on the server and use it for authentication,
40:00
and when I unplug this unique key for instance, I don't see any of these anymore, this is basically more secure than having keys in your phone directory, and that's pretty legit, and with this I can open up for questions and answers.
40:32
Yes? How exactly does it make more secure to get rid of passwords? The fact that I know something,
40:41
is that it's more secure to use a GPG than a password? The term secure is a bit difficult, but I would argue for most people it will be more secure to use a GPG than to use passwords, because people proved over and over again that they are not able to use passwords correctly. The validation is for the entropy of passwords,
41:02
so I assume you know a lot about passwords, you can use random passwords for a lot of entropy, but still there is something, when somebody enters your computer, basically somehow gets to know that passwords, he can use them, he can use them as often as he wants them to,
41:21
so this is not true of GPG, GPG needs to be physically stored, and I think most people know way better how to secure physical stuff, than to secure some information on someone. So that's the main argument. Passwords can be secure to some extent, but for most people they are not, it's just proven by reality,
41:40
open and open. I understand that question, can I add a password security for the GPG? Yeah, so this was basically kind of a simplification, I think, for you to add, you would not, so this was basically the first step of this, but now with GPG 5 and GPG 5 or 2, there is a pin just like any other smartwatch,
42:01
you can lock your GPG basically, you have to provide this pin, and if you do it wrongly, too often it will be not that simple. That's the most fundamental question. Is it possible to replace secrets on the hardware?
42:23
It depends to which mode you are referring to, so to this group 2F, web of N, and file 2M, as far as I know, no, this is literally turned into this pin, and with the other stuff, with the one time password, you can review the image, or you can set it for yourself,
42:41
the service provider will tell you what to put in there. But how can you then know that there is not a copy at cubicle? It's the one thing you have to trust cubicle about. But you can just put your own... I'm not sure, as far as I know, it's not possible, there are maybe other methods where it is possible.
43:04
Yes? What do you do if I lose it? Then we have a problem, and the answer, basically the file 2 answer, is to have multiple keys registered with the service provider, so you can actually, everywhere where I register it, you have somewhere in the menu, you can also fill,
43:21
you can register multiple devices. But of course it's inconvenient, and I also dislike this aspect of this one. If you put your own secret onto the device, then it could have a paper copy somewhere in your safe. Yes?
43:40
I don't pick this device. Any other? It seems like it's very much better login, because of this dominant position of cubicle in the setup. So is there any chance that this system can be federated in some sort?
44:00
I wouldn't argue that this is better login, because there is a lot of other vendors also, and it's an open standard that everybody can implement. So that's the question. Just to make sure, it's from the standard, it's described as much as I was able to make my own cubicle company. I was not locked in by the fact that
44:22
those service providers would need to have this third party contact with me, which they wouldn't do, because they say 90% of the users are already in cubicle, so I could of course not have a Gmail account, but it's quite hard to have my own SMTP reliably sending stuff out, so there is sort of a vendor login,
44:41
even though SMTP is an open standard, in the sense that there is no inaccessible documentary on how to implement it, it's still unlocked into certain bigger providers. So what is your take on that? Yes. Is it a dominant position or cubicle? It also depends on the model
45:01
and we are talking about file 2, and there was this question if I want to stay anonymous or not. If I choose to stay anonymous, the service provider doesn't even know what kind of device I am. They will just be sent a public key and they don't know if it's a unique key, if it's done in software, or if I have something else. I think Google has their Titan key,
45:21
which is basically, they decided for whatever reason they don't trust cubicle, or they don't want a partner with them anymore, so they are building their own key. If you choose to send along this, what happens in the background is you send along a certificate specific to this device, and it is signed by Unico, basically. The service provider could technically say,
45:42
hey, I'm only allowing devices from Unico. So far, I haven't seen anyone do this, but technically it would be possible. Question answered? Sort of. I have to give it some more thought. I can't conceive of this.
46:01
Let's discuss afterwards. Any other questions? That's it from my side.