blob: 3b1b2754ea97e8612c6bf423f5375e3742835343 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# Human brains are wholly inadequate for secrets
![](Human_Brain.png)
<!--
* Passwords can be brute force guessed by an attacker.
* The only thing that helps is length.
- rules for what characters don't help nearly enough
- minimum (2010): 12 random characters
* Human-invented passwords are rarely strong.
* Humans can rarely memorise more than a couple strong passwords.
- never mind typing them correctly
* Attacker gain more raw computing power every year. Human ability to
remember longer passwords has already reached its limit.
Conclusion: we can't rely on passwords for security.
* Possible solutions: hardware token, password managers.
-->
-----------------------------------------------------------------------------
# What are hardware security tokens?
![Nano](YubiKey-5-Nano.png)
<!--
* A small bit of physically secured computer that can do some
cryptography operations.
- can store secrets
- secrets can't be extracted - modulo bugs
* Typically a USB connected smart card of sort.
* Some kind of button for user interaction.
-->
-----------------------------------------------------------------------------
You should still use passwords. Two-factor authentication is stronger
than one-factor authentication.
Use strong passwords: randomly generated and long. Use password
managers. Use a different password for every site, application, device.
-----------------------------------------------------------------------------
# Why a Yubikey specifically
![Big](YubiKey-4.png)
-----------------------------------------------------------------------------
# Use cases
* web: U2F, WebAuthn
* local: disks, login
* OpenPGP (sign, encrypt)
* SSH: via gpg-agent
-----------------------------------------------------------------------------
# Demo
* Use U2F for 2FA on gitlab.com.
* Store GnuPG subkeys onto Yubikey
* Configure GnuPG to use Yubikey
- scdaemon
-----------------------------------------------------------------------------
# SEE ALSO
* [`https://github.com/drduh/YubiKey-Guide`](https://github.com/drduh/YubiKey-Guide>)
* [`https://en.wikipedia.org/wiki/Password_strength`](https://en.wikipedia.org/wiki/Password_strength)
* [`http://web.cs.wpi.edu/~guttman/cs557_website/ papers/passwords/MorrisThompsonPasswordSecurity.pdf`](http://web.cs.wpi.edu/~guttman/cs557_website/papers/passwords/MorrisThompsonPasswordSecurity.pdf)
-----------------------------------------------------------------------------
# Legalese
Copyright 2020 Wikimedia Foundation
This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.
[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/
Images from Injurymap,
<https://www.injurymap.com/free-human-anatomy-illustrations>, and
Yubico.com.
---
title: "Yubikey hardware security tokens"
subtitle: "Lunch and learn"
author: "Lars Wirzenius"
date: "2020-09-28"
...
|