YubiKey – Trust But Verify

A little over a year ago I discovered a Yubikey Replay AttackThe YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB-keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

I believe the YubiKey is the answer to the biggest information security problem. PASSWORDS.  If you can’t remember thousands of random letters and symbols in seconds (Read: Moonwalking with Einstein) you need a Yubikey.

Everyone should be using a Yubikey , LastPass and TrueCrypt.

I believe in the Trust No One (TNO) ideal of information security. However, with a Yubikey you are required to trust Yubico. So,  If you can’t trust them, you should YubiKey – Trust But Verify (TBV).

Here is a simple script to verify Yubico has not slipped. About the only problem with Yubikey is the Replay Attack.


#use strict;
#use Yubico::Auth;
use LWP::Simple;

$id = "1250";          # Your Yubikey ID here
$logfile = "./usedkeys";
@otp_list = "";
$x = 0;

open(LOG,">>$logfile") || die("Can't open $logfile\n");
printf LOG "\nNew TBV Yubikey test - ";
printf LOG "%4d-%02d-%02d %02d:%02d:%02d\n\n", $year+1900,$mon+1,$mday,$hour,$min,$sec;

print "Yubikey Replay test\n\n";
print "Type 'stop' to end input\n";
print "\nEnter your ID number: ";
$id = <STDIN>;
chop $id;

do {
 print "\nPress Yubikey: ";    # Ask for input
 $otp = <STDIN>;         # Get input

 chop $otp;              # Chop off newline

 if ($otp ne "stop") {
 $url = "http://api.yubico.com/wsapi/verify?id=".$id."&otp=".$otp;
 $req = get($url) || die("Request Error\n");
 chop $req;

 print LOG "NEW ".$x. " ". $id. " ". $otp. "\n". $req. "\n";
 print "NEW ".$x. " ". $id. " ". $otp. "\n". $req. "\n";
 push(@otp_list, $otp);

 $y = 0;
 foreach $reotp(@otp_list) {
 $url = "http://api.yubico.com/wsapi/verify?id=". $id ."&otp=". $reotp;
 $req = get($url);
 chop $req;

 if( $y > 0 ) {
 print LOG "USED ".$y. " ". $id. " ". $reotp. "\n". $req. "\n";
 print "USED ".$y. " ". $id. " ". $reotp. "\n". $req. "\n";
 } ;
 $y = $y+1;

} while ($otp ne "stop");       # Redo while wrong input

print LOG "\n>>> Re-pay the keys\n\n";


I just finished reading; Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground By Kevin Poulsen.

This  is be the best behind the scenes of the new hacker world.  If you read Hackers by Steven Levy and or The Cuckoo’s Egg by Cliff Stole, this is a must read for you.

It is just amazing how much detail and understanding Kevin brings to the details in this book.  I had to read and re-read many pages to follow the twists and turns the rise and fall of Max Vision.  (Yes that is his real name.)

The movie Social Network was interesting.  This book is so fantastic it reads like some crazy fiction hacker book but every word has been researched.

I thought at one time I wanted to work in the information security business.   It’s hard enough to live a clean life. This book showed me just how close the security groups to the criminal groups.  This book gave me chills.  I’d never want to get that close.

A Beautiful Supprise

I’ve known and lived with Linda, my wife, for over thirty years. You think after that time it would be hard to surprise me. I’ve never thought of Linda as being the technical type. She loves people but not things.

A few months ago I created a website for her and didn’t do anything more the load the software.  She didn’t tell me she was using it.  She didn’t as me how to use it.  Still she created a great blog for her photography.