YubiKey – Trust But Verify

A little over a year ago I discovered a Yubikey Replay AttackThe YubiKey is a hardware authentication token that looks like a small USB memory stick, but it is actually a keyboard. With the command of an integrated touch button, the device can send a time-variant, secure login code as if it was typed in from a keyboard. And because USB-keyboards are standard on all computers the YubiKey works on all platforms and browsers without the need for client software.

I believe the YubiKey is the answer to the biggest information security problem. PASSWORDS.  If you can’t remember thousands of random letters and symbols in seconds (Read: Moonwalking with Einstein) you need a Yubikey.

Everyone should be using a Yubikey , LastPass and TrueCrypt.

I believe in the Trust No One (TNO) ideal of information security. However, with a Yubikey you are required to trust Yubico. So,  If you can’t trust them, you should YubiKey – Trust But Verify (TBV).

Here is a simple script to verify Yubico has not slipped. About the only problem with Yubikey is the Replay Attack.

#!/usr/bin/perl

#use strict;
#use Yubico::Auth;
use LWP::Simple;

($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localtime(time);
$id = "1250";          # Your Yubikey ID here
$logfile = "./usedkeys";
@otp_list = "";
$x = 0;

open(LOG,">>$logfile") || die("Can't open $logfile\n");
printf LOG "\nNew TBV Yubikey test - ";
printf LOG "%4d-%02d-%02d %02d:%02d:%02d\n\n", $year+1900,$mon+1,$mday,$hour,$min,$sec;

print "Yubikey Replay test\n\n";
print "Type 'stop' to end input\n";
print "\nEnter your ID number: ";
$id = <STDIN>;
chop $id;

do {
 $x=$x+1;
 print "\nPress Yubikey: ";    # Ask for input
 $otp = <STDIN>;         # Get input

 chop $otp;              # Chop off newline

 if ($otp ne "stop") {
 $url = "http://api.yubico.com/wsapi/verify?id=".$id."&otp=".$otp;
 $req = get($url) || die("Request Error\n");
 chop $req;

 print LOG "NEW ".$x. " ". $id. " ". $otp. "\n". $req. "\n";
 print "NEW ".$x. " ". $id. " ". $otp. "\n". $req. "\n";
 push(@otp_list, $otp);
 }

 $y = 0;
 foreach $reotp(@otp_list) {
 $url = "http://api.yubico.com/wsapi/verify?id=". $id ."&otp=". $reotp;
 $req = get($url);
 chop $req;

 if( $y > 0 ) {
 print LOG "USED ".$y. " ". $id. " ". $reotp. "\n". $req. "\n";
 print "USED ".$y. " ". $id. " ". $reotp. "\n". $req. "\n";
 } ;
 $y = $y+1;

}
close(LOG);
} while ($otp ne "stop");       # Redo while wrong input

print LOG "\n>>> Re-pay the keys\n\n";

2 thoughts on “YubiKey – Trust But Verify

  1. Thanks for the script. Yubico returns “status=NO_SUCH_CLIENT” for the new and used keys. Is that right? What’s wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *