Personalizing yubikeys for passphrase management

Yubikeys are small hardware tokens supporting 2-factor authentication.

ykpersonalize is a very powerful tool for personalizing yubikeys. However it’s always challenging figuring out how to use it. I just tried the gui tool from http://yubico.com/personalization-tool and it’s great! I picked “challenge-response mode”, “HMAC-SHA1″, generated (and stored under pasaffe) a secret key, and committed that to slot 2 on two yubikeys Then i did ‘ykchalresp -2 somepassphrase to generate a long random string like:

c7257ac92b313c98e0e77e30d02822c8a0035163

which i can prepend to hand-typed passphrases.

The things I like about this are that:

* I can re-specify the same secret key later on if I need a new yubikey
* I can store the strings resulting from ‘ykchalresp -2 passphrase’ if I ever want to stop using the yubikeys, without losing access to data protected with those keys
* if I lose the yubikey, nothing should be compromised

I need to think more about whether it’s worth it and whether there are any holes in my reasoning, of course. In the end it’ll only be worth it if it’s really more convenient than alternatives. A little pop-up gui which takes a passphrase without echoing it, feeds it to ykchalresp, and copies the output into xclip -i, and then maybe hangs around waiting for another confirmation after which it wipes it from the clipboard :), might help a lot.

Heck, like this:

{{{
#!/bin/bash

# needs dialog, ykchalresp, and xclip
pw=$(dialog –passwordbox “Yubikey challenge” 10 20 –stdout)
output=`ykchalresp -2 $pw`
echo -n $output | xclip -i
echo “hit return to clear the clipboard”
read x
echo | xclip -i
}}}

I think I may encrypt some redundant data this way and test this out on
my next trip, as a test.

About these ads
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s