diff options
| -rw-r--r-- | 2020-09-28-yubikey.md | 213 |
1 files changed, 194 insertions, 19 deletions
diff --git a/2020-09-28-yubikey.md b/2020-09-28-yubikey.md index 3b1b275..f8de406 100644 --- a/2020-09-28-yubikey.md +++ b/2020-09-28-yubikey.md @@ -1,4 +1,17 @@ -# Human brains are wholly inadequate for secrets +# Password strength + +* 2010 study: strong passwords need to be at least 12 random + characters, 8 will soon not be strong enough. + +* 2012: Attackers can brute force every 8 character password in less + than 6 hours using 25 GPUs. + +* It's 2020. Everything gets more scary now. + + +----------------------------------------------------------------------------- + +# This remembers about 8 random characters  @@ -24,6 +37,24 @@ Conclusion: we can't rely on passwords for security. ----------------------------------------------------------------------------- +Passwords are passé* + +\ + +\ + +\ + +\ + +\ + +\ + +*not entirely true + +----------------------------------------------------------------------------- + # What are hardware security tokens?  @@ -42,49 +73,193 @@ Conclusion: we can't rely on passwords for security. ----------------------------------------------------------------------------- -You should still use passwords. Two-factor authentication is stronger -than one-factor authentication. +# Why a Yubikey specifically -Use strong passwords: randomly generated and long. Use password -managers. Use a different password for every site, application, device. + ----------------------------------------------------------------------------- -# Why a Yubikey specifically +# Use case: Log into web site - +Demo + +<https://demo.yubico.com/> + +<https://gitlab.com/> ----------------------------------------------------------------------------- -# Use cases +~~~plantuml +@startuml +hide footbox + +actor Alice +control Token +participant Browser +database Website + +Alice -> Browser : log me in +Browser -> Website : username, password +Website -> Browser : token needed, here is a nonce +Browser -> Token : need this nonce encrypted +Token -> Alice : make LED blink +Alice -> Token : press button +Token -> Browser : here is nonce encrypted +Browser -> Website : here is nonce encrypted +Website -> Browser : login OK +Browser -> Alice : WE'RE IN!!!!! +@enduml +~~~ -* web: U2F, WebAuthn +----------------------------------------------------------------------------- -* local: disks, login +# Use case: Full disk encryption -* OpenPGP (sign, encrypt) +* Linux: yubico-luks -* SSH: via gpg-agent +* Mac, Windows: something, I don't know ----------------------------------------------------------------------------- -# Demo -* Use U2F for 2FA on gitlab.com. +~~~plantuml +@startuml +hide footbox -* Store GnuPG subkeys onto Yubikey +actor Alice +control Token +participant Laptop +database "LUKS disk" as Disk -* Configure GnuPG to use Yubikey +Alice -> Laptop : boot +Laptop -> Laptop : start boot loader +Laptop -> Alice : need challenge password for hard drive +Alice -> Laptop : challenge password +Laptop -> Token : here is challenge +Token -> Laptop : here is response +Laptop -> Disk : open up, here is password +Disk -> Laptop : LGTM +Laptop -> Laptop : boot +Laptop -> Alice : please to be logging in now +@enduml +~~~ - - scdaemon + +----------------------------------------------------------------------------- + +# Use case: Log into system + +* can be 1FA or 2FA + +* Linux: libpam-u2f, libpam-yubico + +* local logins: getty, su, sudo, desktop + +* also SSH or any other service + +----------------------------------------------------------------------------- + + +~~~plantuml +@startuml +hide footbox + +actor Alice +control Token +participant Laptop + +Alice -> Laptop : username, password +Laptop -> Token : here is nonce +Token -> Alice : make LED blink +Alice -> Token : press button +Token -> Laptop : here is nonce encrypted +Laptop -> Alice : welcome +@enduml +~~~ + +----------------------------------------------------------------------------- + +# Use case: OpenPGP + +* Private subkeys stored on token + +* All operations involving private keys happen on token + +----------------------------------------------------------------------------- + +~~~plantuml +@startuml +hide footbox + +actor Alice +control Token +participant Laptop + +Alice -> Laptop : show me this encrypted email +Laptop -> Token : decrypt this +Token -> Alice : make LED blink +Alice -> Token : push button +Token -> Laptop : here you are +Laptop -> Alice : your email, if you please +@enduml +~~~ + +----------------------------------------------------------------------------- + +# Use case: SSH + +* OpenPGP authentication subkey on token + +* `gpg-agent` acts as an SSH agent + +----------------------------------------------------------------------------- + +~~~plantuml +@startuml +hide footbox + +actor Alice +control Token +participant Laptop +participant Server + +Alice -> Laptop : login to server +Laptop -> Server : Alice wants to log in +Server -> Laptop : here is a nonce +Laptop -> Token : encrypt this nonce with authn subkey +Token -> Laptop : here you are +Laptop -> Server : encrypted nonce +Server -> Laptop : here is a shell +Laptop -> Alice : WE'RE IN!!!! +@enduml +~~~ + +----------------------------------------------------------------------------- + +# Here how you configure everything + +Not part of this talk. + +Sorry. ----------------------------------------------------------------------------- # SEE ALSO -* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>) -* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength) +Password strength: + * [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf) +* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength) +* [`https://arstechnica.com/information-technology/ 2012/12/25-gpu-cluster-cracks- every-standard-windows-password-in-6-hours/`](https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/) +* [`https://arstechnica.com/information-technology/ 2013/03/how-i-became-a-password-cracker/`](https://arstechnica.com/information-technology/2013/03/how-i-became-a-password-cracker/) + +Configure Yubikeys and operating systems: + +* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>) +* [`https://infosec-handbook.eu/blog/yubikey-luks/`](https://infosec-handbook.eu/blog/yubikey-luks/) +* [`https://infosec-handbook.eu/blog/yubikey-2fa-pam/`](https://infosec-handbook.eu/blog/yubikey-2fa-pam/) + + ----------------------------------------------------------------------------- |