Posts Tagged Yubikey
This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.
If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See my previous post to get started. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.
After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.
YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.
Generating your initial key pair
Open a command prompt and run:
gpg --expert --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
For ‘kind of key’, select 8 (RSA: Set your own capabilities)
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.
Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.
Take note of your 8-character key ID. You will need it for future steps.
Adding the sub-keys
You need to add two sub-keys; one for encryption, and one for authentication.
From the command line, run (where keyID is your 8-character key ID) :
gpg --expert --edit-key keyID
Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.
Repeat addkey one last time, and toggle abilities so you have an authentication-only key.
Then q to quit, and y to save changes.
Backing up the keys
Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:
gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID
Moving the keys to the YubiKey
Run the following command:
gpg –expert –edit-key keyID
Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.
card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:
If this comes back with data (and not an error), then run this again and continue:
gpg –expert –edit-key key-ID
Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.
This is a continuation of my previous post on YubiKey.
In order for the most painless “Quick Start” of YubiKey on Windows, you will need a few tools:
First, the YubiKey NEO Manager, available here, will enable you to toggle the various modes (OTP, CCID, U2F) of your YubiKey on and off. Since the YubiKey ships with only OTP mode enabled, you will need this to turn on CCID (SmartCard) and U2F (Fido) mode. This will also let you check and verify the installed apps on your NEO, once you’ve enabled CCID mode. (Important: Check the version of your OpenPGP app. If it is 1.0.9 or lower, read this security advisory and take appropriate action).
Second, the YubiKey Personalization Tool, available here, will enable you to personalize the various configuration slots of your YubiKey. There are two slots available, and slot 1 is programmed with the YubiCo OTP (or RSA key, depending). It is strongly advised not to overwrite slot 1 unless you really know what you are doing. You can program slot 2 for whatever other implementation you would like. Please note that these two slots are independent of the applets that run on the CCID side of the card. Although that may be slightly confusing, it will be clear as you use your key.
Third, the YubiKey NEO contains the YubiOATH applet for generating those familiar 6-digit OTP codes that various websites use as two-factor authentication. Your YubiKey NEO can store many of those 6 digit codes and secrets in the key itself, but it requires the YubiOATH-desktop helper app, available here. This helper app is required because OATH codes are time-based, and the YubiKey has no internal clock. Also, this requires that CCID mode is enabled.
If you have anything to contribute, please do so in the comments below, or contact me using the form.
I have one of the 2nd generation YubiKeys, and I really liked it, but the new YubiKey NEOs have many new features, including PGP, OTP codes, U2F, NFC, etc. I liked the original YubiKey (although there aren’t too many places where you can use it), but the new YubiKey really interested me. So I got myself one.
One of the problems that I ran into was a lack of “Quick start” documentation for the various features of the YubiKey, such as OTP, PGP, etc. The documentation is either too vague, or too complicated.
I’m going to attempt to give some blog posts to help users get start with their YubiKeys in the same manner that I got started with mine, including the various features and such, to help you get up and running as quickly as possible, and with as few headaches as possible.
So, if you’re interested, subscribe and watch for new posts.
In part 1 of this two-part series, I mentioned some of the fallacies and misconceptions in password practices. If you haven’t read it, I suggest you click here to read it now. In this part I’ll discuss a few methods for storing and securing your strong passwords themselves. It’s not as hard as it sounds, and there are lots of ways to do it. I’ll describe a few different approaches below and a few pros and cons of each one:
Paper and pencil (or pen)
I’m taking it back to the basics here. Write down your passwords in an address book, rolodex, or other suitable organizational booklet. However, don’t store this near your computer. There are some simple solutions that can help you think of — and remember — complex passwords, such as this idea from IdeaShower.com.
Pros: Helps you keep organized track of username/password and security question/answer combinations easily and inexpensively. Durable and long-lasting.
Cons: Can be easily compromised. Someone who knows where your password book is can still gain access to your accounts.
A simple text file, Spreadsheet, or Database
This is one step beyond the paper method above. Storing your passwords in a simple database can do the same as above, as well as keeping it quickly sortable and searchable. However, if someone gains access to your computer or hard drive, it can be compromised. A few examples of this are a text file, an Excel spreadsheet, or an Access database.
Pros: Easier to organize, search, and update than a paper file.
Cons: Can be compromised if unauthorized access to your computer occurs, such as through a trojan or virus. Can be lost, corrupted, or become outdated if backups are not made and maintained.
An encrypted text file, Spreadsheet, Database, or specialized software
An encrypted database can offer you the same ease-of-use of the electronic storage method, while providing an extra layer of protection in case someone gains access to your computer’s data. There are several software programs which are designed for encrypted password storage, such as KeePass, 1Password, Password Safe, or the Firefox extension Password Hasher (though it’s not clear if it stores its password in encrypted databases or not). Though some of these can be pricey, the peace of mind and organization they provide is often times priceless.
Pros: Many of the same advantages as simple file storage while providing an additional layer of security against unauthorized access. Free software programs are available. Specialized software can also assist in generating strong passwords.
Cons: Just as the encryption protects against unauthorized access, you can lose access to your database if you forget the password. Store it securely. Non-free software can be pricey.
Cloud-based, encrypted password storage
Cloud-based password storage attempts to combine the best of encrypted storage as well as worry-free backup and syncing across all your devices. Keep in mind when choosing cloud-based storage that you’re placing your trust in the availability and security of the provider. Make sure that if you choose a provider that you carefully review their encryption choices and availability of an optional 2-factor authentication method.
My personal favorite in this category is LastPass. LastPass is free to use the website and browser extension, and they offer a premium subscription which allows you to access your password vault from a mobile device for $12 per year. LastPass also includes support for 2-factor authentication via a YubiKey or Google Authenticator.
(Disclaimer: I am a LastPass premium subscriber; I have not sought nor are they offering me any compensation for mentioning them in this post.)
Pros: Convenient browser-based or browser extension for access and syncing of your passwords. Can auto-fill on websites. No need to worry about backing up your password file or losing it.
Cons: If your provider is compromised or goes down you could lose access to your stored passwords.
Do you have any methods of generating, storing, or securing passwords not listed above, or anything else that wasn’t covered in the above article? Please feel free to share in the comments below. Thank you!
Most of our security is provided in the forms of username/password pairs and pin numbers, depending on the resource. For example, our ATM cards are secured by a 4-digit PIN, and most of our on-line accounts are secured by username/password pairs. It’s reasonable and simple security and for most of us, it works fine. However, all too often someone gets to say that “someone found out my password” or “so-and-so knew my password and now has hacked my account” etc. Its an unfortunate shortcoming a single-factor authentication system.
What is an authentication factor?
An authentication “factor” is something you use to gain access to a website or other resource. It can be something you know (a username/password combination, a pin number, a challenge/response sequence), something you have (a key or key-card), or something you are (a photograph, fingerprint, etc). Those are each considered a single “factor” in themselves.
For those of us who have had a security breach of one sort or another, it can be hard to rely on single-factor authentication for our private accounts. For those of us who are more security-minded, we might look to a two-factor authentication method from the start to make sure our accounts are secure from the start.
What is “Two-Factor Authentication”?
Two-factor authentication combines two of the above factors to increase the security of a resource. For example, a security door to a server room may require both a keycard and a pin number. Other two-factor authentication methods involve one-time passwords, or a random number generated by a key fob held by the person.
Yubico offers a simple USB key (a “Yubikey”) that is inserted into a USB port. The Yubikey emulates a USB keyboard so it is cross-platform and cross-browser compatible. It is operated simply by touching it’s button so there’s no pin numbers to enter. The generated one-time passwords are “typed” by the key and checked against the Yubico service. Compatible sites and services include WordPress.org blogs (via plug-in), Drupal sites (via plug-in), the Yubico OpenID service, and LastPass password manager service. There’s likely more sites, as I wasn’t able to find a central listing. Developer services include Web APIs, OAUTH, SAML, and personalization tools. (See the Yubico Developers Intro for information).
Verisign offers a key fob, credit card sized devices, and a mobile application which generate random numbers that have to be entered during the sign-in process. Participating sites include eBay, Paypal, AOL, name.com, Geico, just to name a few.
I personally own one of each, as well as the Aladdin eToken PASS that my employer requires — I find that I use the Yubikey gets much more use, likely due to the fact that I don’t have to key in a pin number. I also appreciate the open-source nature of the plug-in and APIs, which also encourage more sites and services to adopt the device.
I would encourage you to consider any type of two-factor system and give yourself a chance to have an extra layer of peace of mind when accessing your on-line accounts.
One last thought: If you enable one of these security options on an on-line account, it is still possible to access even if you lose the key. The process usually involves telling the service that you’ve lost the fob during the log-in process, then confirming via an email that they send you. It’s not possible for someone to arbitrarily remove the second factor without having access to your email as well. Of course, if you use the same password at every site as most people do, that completely defeats the purpose of having a two-factor system set up. Do yourself a favor and at least use a different password at each site you use.
Have you had an account “hacked” that used just a username and password? Do you use a two-factor system or are you considering one? Please share your thoughts and opinions in the comments below.