# Password strength * 2010 study: strong passwords need to be at least 12 random characters, 8 will soon not be strong enough. * 2012: Attackers can brute force every 8 character password in less than 6 hours using 25 GPUs. * It's 2020. Everything gets more scary now. ----------------------------------------------------------------------------- # This remembers about 8 random characters ![](Human_Brain.png) ----------------------------------------------------------------------------- Passwords are passé* \ \ \ \ \ \ *not entirely true ----------------------------------------------------------------------------- # What are hardware security tokens? ![Nano](YubiKey-5-Nano.png) ----------------------------------------------------------------------------- # Why a Yubikey specifically ![Big](YubiKey-4.png) ----------------------------------------------------------------------------- # Use case: Log into web site Demo ----------------------------------------------------------------------------- ~~~plantuml @startuml hide footbox actor Alice control Token participant Browser database Website Alice -> Browser : log me in Browser -> Website : username, password Website -> Browser : token needed, here is a nonce Browser -> Token : need this nonce encrypted Token -> Alice : make LED blink Alice -> Token : press button Token -> Browser : here is nonce encrypted Browser -> Website : here is nonce encrypted Website -> Browser : login OK Browser -> Alice : WE'RE IN!!!!! @enduml ~~~ ----------------------------------------------------------------------------- # Use case: Full disk encryption * Linux: yubico-luks * Mac, Windows: something, I don't know ----------------------------------------------------------------------------- ~~~plantuml @startuml hide footbox actor Alice control Token participant Laptop database "LUKS disk" as Disk Alice -> Laptop : boot Laptop -> Laptop : start boot loader Laptop -> Alice : need challenge password for hard drive Alice -> Laptop : challenge password Laptop -> Token : here is challenge Token -> Laptop : here is response Laptop -> Disk : open up, here is password Disk -> Laptop : LGTM Laptop -> Laptop : boot Laptop -> Alice : please to be logging in now @enduml ~~~ ----------------------------------------------------------------------------- # Use case: Log into system * can be 1FA or 2FA * Linux: libpam-u2f, libpam-yubico * local logins: getty, su, sudo, desktop * also SSH or any other service ----------------------------------------------------------------------------- ~~~plantuml @startuml hide footbox actor Alice control Token participant Laptop Alice -> Laptop : username, password Laptop -> Token : here is nonce Token -> Alice : make LED blink Alice -> Token : press button Token -> Laptop : here is nonce encrypted Laptop -> Alice : welcome @enduml ~~~ ----------------------------------------------------------------------------- # Use case: OpenPGP * Private subkeys stored on token * All operations involving private keys happen on token ----------------------------------------------------------------------------- ~~~plantuml @startuml hide footbox actor Alice control Token participant Laptop Alice -> Laptop : show me this encrypted email Laptop -> Token : decrypt this Token -> Alice : make LED blink Alice -> Token : push button Token -> Laptop : here you are Laptop -> Alice : your email, if you please @enduml ~~~ ----------------------------------------------------------------------------- # Use case: SSH * OpenPGP authentication subkey on token * `gpg-agent` acts as an SSH agent ----------------------------------------------------------------------------- ~~~plantuml @startuml hide footbox actor Alice control Token participant Laptop participant Server Alice -> Laptop : login to server Laptop -> Server : Alice wants to log in Server -> Laptop : here is a nonce Laptop -> Token : encrypt this nonce with authn subkey Token -> Laptop : here you are Laptop -> Server : encrypted nonce Server -> Laptop : here is a shell Laptop -> Alice : WE'RE IN!!!! @enduml ~~~ ----------------------------------------------------------------------------- # Here how you configure everything Not part of this talk. Sorry. ----------------------------------------------------------------------------- # SEE ALSO Password strength: * [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf) * [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength) * [`https://arstechnica.com/information-technology/ 2012/12/25-gpu-cluster-cracks- every-standard-windows-password-in-6-hours/`](https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/) * [`https://arstechnica.com/information-technology/ 2013/03/how-i-became-a-password-cracker/`](https://arstechnica.com/information-technology/2013/03/how-i-became-a-password-cracker/) Configure Yubikeys and operating systems: * [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>) * [`https://infosec-handbook.eu/blog/yubikey-luks/`](https://infosec-handbook.eu/blog/yubikey-luks/) * [`https://infosec-handbook.eu/blog/yubikey-2fa-pam/`](https://infosec-handbook.eu/blog/yubikey-2fa-pam/) ----------------------------------------------------------------------------- # Legalese Copyright 2020 Wikimedia Foundation This content is licensed under the Creative Commons Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence. [CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/ Images from Injurymap, , and Yubico.com. --- title: "Yubikey hardware security tokens" subtitle: "Lunch and learn" author: "Lars Wirzenius" date: "2020-09-28" ...