summaryrefslogtreecommitdiff
path: root/2020-09-28-yubikey.md
blob: 3b1b2754ea97e8612c6bf423f5375e3742835343 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Human brains are wholly inadequate for secrets


![](Human_Brain.png)

<!--

* Passwords can be brute force guessed by an attacker.
* The only thing that helps is length.
  - rules for what characters don't help nearly enough
  - minimum (2010): 12 random characters
* Human-invented passwords are rarely strong.
* Humans can rarely memorise more than a couple strong passwords.
  - never mind typing them correctly
* Attacker gain more raw computing power every year. Human ability to
  remember longer passwords has already reached its limit.

Conclusion: we can't rely on passwords for security.

* Possible solutions: hardware token, password managers.

-->


-----------------------------------------------------------------------------

# What are hardware security tokens?

![Nano](YubiKey-5-Nano.png)

<!--


* A small bit of physically secured computer that can do some
  cryptography operations.
  - can store secrets
  - secrets can't be extracted - modulo bugs
* Typically a USB connected smart card of sort.
* Some kind of button for user interaction.

-->

-----------------------------------------------------------------------------

You should still use passwords. Two-factor authentication is stronger
than one-factor authentication.

Use strong passwords: randomly generated and long. Use password
managers. Use a different password for every site, application, device.

-----------------------------------------------------------------------------

# Why a Yubikey specifically

![Big](YubiKey-4.png)

-----------------------------------------------------------------------------

# Use cases

* web: U2F, WebAuthn

* local: disks, login

* OpenPGP (sign, encrypt)

* SSH: via gpg-agent

-----------------------------------------------------------------------------

# Demo

* Use U2F for 2FA on gitlab.com.

* Store GnuPG subkeys onto Yubikey

* Configure GnuPG to use Yubikey

  - scdaemon

-----------------------------------------------------------------------------

# SEE ALSO

* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>)
* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength)
* [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf)

-----------------------------------------------------------------------------

# Legalese

Copyright 2020 Wikimedia Foundation

This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.

[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/

Images from Injurymap,
<https://www.injurymap.com/free-human-anatomy-illustrations>, and
Yubico.com.




---
title: "Yubikey hardware security tokens"
subtitle: "Lunch and learn"
author: "Lars Wirzenius"
date: "2020-09-28"
...