# Password strength
* 2010 study: strong passwords need to be at least 12 random
characters, 8 will soon not be strong enough.
* 2012: Attackers can brute force every 8 character password in less
than 6 hours using 25 GPUs.
* It's 2020. Everything gets more scary now.
-----------------------------------------------------------------------------
# This remembers about 8 random characters
![](Human_Brain.png)
-----------------------------------------------------------------------------
Passwords are passé*
\
\
\
\
\
\
*not entirely true
-----------------------------------------------------------------------------
# What are hardware security tokens?
![Nano](YubiKey-5-Nano.png)
-----------------------------------------------------------------------------
# Why a Yubikey specifically
![Big](YubiKey-4.png)
-----------------------------------------------------------------------------
# Use case: Log into web site
Demo
-----------------------------------------------------------------------------
~~~plantuml
@startuml
hide footbox
actor Alice
control Token
participant Browser
database Website
Alice -> Browser : log me in
Browser -> Website : username, password
Website -> Browser : token needed, here is a nonce
Browser -> Token : need this nonce encrypted
Token -> Alice : make LED blink
Alice -> Token : press button
Token -> Browser : here is nonce encrypted
Browser -> Website : here is nonce encrypted
Website -> Browser : login OK
Browser -> Alice : WE'RE IN!!!!!
@enduml
~~~
-----------------------------------------------------------------------------
# Use case: Full disk encryption
* Linux: yubico-luks
* Mac, Windows: something, I don't know
-----------------------------------------------------------------------------
~~~plantuml
@startuml
hide footbox
actor Alice
control Token
participant Laptop
database "LUKS disk" as Disk
Alice -> Laptop : boot
Laptop -> Laptop : start boot loader
Laptop -> Alice : need challenge password for hard drive
Alice -> Laptop : challenge password
Laptop -> Token : here is challenge
Token -> Laptop : here is response
Laptop -> Disk : open up, here is password
Disk -> Laptop : LGTM
Laptop -> Laptop : boot
Laptop -> Alice : please to be logging in now
@enduml
~~~
-----------------------------------------------------------------------------
# Use case: Log into system
* can be 1FA or 2FA
* Linux: libpam-u2f, libpam-yubico
* local logins: getty, su, sudo, desktop
* also SSH or any other service
-----------------------------------------------------------------------------
~~~plantuml
@startuml
hide footbox
actor Alice
control Token
participant Laptop
Alice -> Laptop : username, password
Laptop -> Token : here is nonce
Token -> Alice : make LED blink
Alice -> Token : press button
Token -> Laptop : here is nonce encrypted
Laptop -> Alice : welcome
@enduml
~~~
-----------------------------------------------------------------------------
# Use case: OpenPGP
* Private subkeys stored on token
* All operations involving private keys happen on token
-----------------------------------------------------------------------------
~~~plantuml
@startuml
hide footbox
actor Alice
control Token
participant Laptop
Alice -> Laptop : show me this encrypted email
Laptop -> Token : decrypt this
Token -> Alice : make LED blink
Alice -> Token : push button
Token -> Laptop : here you are
Laptop -> Alice : your email, if you please
@enduml
~~~
-----------------------------------------------------------------------------
# Use case: SSH
* OpenPGP authentication subkey on token
* `gpg-agent` acts as an SSH agent
-----------------------------------------------------------------------------
~~~plantuml
@startuml
hide footbox
actor Alice
control Token
participant Laptop
participant Server
Alice -> Laptop : login to server
Laptop -> Server : Alice wants to log in
Server -> Laptop : here is a nonce
Laptop -> Token : encrypt this nonce with authn subkey
Token -> Laptop : here you are
Laptop -> Server : encrypted nonce
Server -> Laptop : here is a shell
Laptop -> Alice : WE'RE IN!!!!
@enduml
~~~
-----------------------------------------------------------------------------
# Here how you configure everything
Not part of this talk.
Sorry.
-----------------------------------------------------------------------------
# SEE ALSO
Password strength:
* [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf)
* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength)
* [`https://arstechnica.com/information-technology/ 2012/12/25-gpu-cluster-cracks- every-standard-windows-password-in-6-hours/`](https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/)
* [`https://arstechnica.com/information-technology/ 2013/03/how-i-became-a-password-cracker/`](https://arstechnica.com/information-technology/2013/03/how-i-became-a-password-cracker/)
Configure Yubikeys and operating systems:
* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>)
* [`https://infosec-handbook.eu/blog/yubikey-luks/`](https://infosec-handbook.eu/blog/yubikey-luks/)
* [`https://infosec-handbook.eu/blog/yubikey-2fa-pam/`](https://infosec-handbook.eu/blog/yubikey-2fa-pam/)
-----------------------------------------------------------------------------
# Legalese
Copyright 2020 Wikimedia Foundation
This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.
[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/
Images from Injurymap,
, and
Yubico.com.
---
title: "Yubikey hardware security tokens"
subtitle: "Lunch and learn"
author: "Lars Wirzenius"
date: "2020-09-28"
...