tmsr - Search: yubikey

88 entries in 0.586s

feedbot: http://qntra.net/2019/06/yubikey-fips-products-suffer-reducted-randomness/ << Qntra -- Yubikey FIPS Products Suffer Reducted Randomness

mircea_popescu: i suppose next someone cracks open one of these fetlifes, can dump the yubikey set this way. tho... very roundabout way of ghoing about things -- could as well just list the privkeys.

mircea_popescu: understand how "yubikey" works : hitlerist website buys a boatload, extracts pub/privkeys, sends to losers.

mircea_popescu: asciilifeform, tedious to get the pubkey out of shit like yubikey tho

asciilifeform: includes ~all 'yubikey' devices, for instance.

mircea_popescu: since the chip you discuss could be made out of extant bitcoin miner + yubikey arrangement, they must both be just as linear

mircea_popescu: kinda what yubikey was/is

mircea_popescu: kinda stopped at yubikey/electrum looselet.

mircea_popescu: apparently my boxes aren't needed, but hell yea roger ver's "money" that doesn't exist is more than welcome. and plox moar yubikey and canonical and if it's not fucking plain yet...

Joshua-I: What's the opinion on pgp smart cards / yubikey around here

ascii_field: like the 'yubikey' turd mtgox shipped ?

mats: > Yubikey NEO (JavaCard OpenPGP) private key operations can be accessed without PIN

pete_dushenski: they're sort of in the 'yubikey' camp of 'blackbox toy crypto that plugs into usb'

mats: .cn sysop uses yubikey at his terminal, "he's using gpg encryption... it'll take me at least a month to crack it... it must be at least a 512 bit key"

asciilifeform: why would anyone use a device such as 'yubikey' for access to a man-portable machine ?

BingoBoingo: asciilifeform: Appears to indeed be a Yubikey

mike_c: "The site broke new ground for security in the space, integrating Yubikey and Google Authenticator"

benkay: yeah but yubikey is turd

joecool: yubikey neo has a javacard port of it, keys limited to 2048bit there

mircea_popescu: fluffypony how is it different from a repurposed yubikey ?

bitcoinpete: asciilifeform: i invited the yubikey kids here for your amusement https://twitter.com/bitcoinpete/status/461633158836789248

decimation: still; why would someone like yubikey watch bob and say "I want me some of that?"

decimation: asciilifeform: I think the RSA keyfob hack demonstrates your point about yubikey perfectly

mircea_popescu: "- The Yubikey personalization app saves a .csv logfile with the programmed key values meaning a malware-based attack may discover the log files on block devices even when the files have been deleted"

mircea_popescu: asciilifeform http://www.unrest.ca/evaluating-the-security-of-the-yubikey

asciilifeform: anyone here own 'yubikey' ? got it to cough up its fw?

artifexd: The code to run a yubikey server is open source so you, I, or anyone is welcome to swap out the key and run their own server.

mircea_popescu: ie, not all keys work, key has to satisfy magic yubikey criteria on top of entropy

mircea_popescu: artifexd> That may, or may not, invalidate the ability to use yubikey's servers though. I don't know. << afaik blowing their key does make it unable to use the servers, because you see, the true beauty of stupidty : they actually narrow the keyspace (significantly) to make their product vendor-lockedin

artifexd: benkay suggested that the yubikey could phone home (or any attacker) with the new contents if it were reloaded. I was questioning that.

artifexd: benkay If the yubikey registers as a keyboard, how can it access the network?

artifexd: That may, or may not, invalidate the ability to use yubikey's servers though. I don't know.

artifexd: If it makes a difference, yubikey's internal slots are client writable.

asciilifeform: Naphex: what i'm trying to get across is that a fellow with yubikey in his pocket is, in fact, 'holding a secret'

Naphex unplugs yubikey out :)

Naphex: i'm not trumpeting yubikey, but i don't know of a better OTP atm

Naphex: asciilifeform: https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/04/paper_yubikey_sca.pdf apperantly it got sca'd some time ago

Naphex: asciilifeform: are you sugesting DPA could be use in retriving yubikey secret?

asciilifeform: for instance, what measures, if any, against 'differential power analysis' in yubikey?

Naphex: i use a yubikey neo, and i'm pretty happy with it

asciilifeform: gotta ask, what's the basis for trusting 'yubikey' ?

Naphex: OTP - is otp released to the client, by levels email yubikey/gpg/ - whatever

Naphex: now OTP can be, Email / YubiKey -> GPG, Bitcoin signature

asciilifeform: joecool: trying to explain to ninjashogun why a crypto-gizmo like yubikey is fundamentally braindamaged

joecool: Diablo-D3: xray of a yubikey neo i'm guessing

asciilifeform: take your yubikey, etc. and disassemble it

asciilifeform: ninjashogun: homework. determined the cost of, starting with nothing but idle hands, personally determining exactly what your 'yubikey' does.

asciilifeform: one of the things people refuse to understand about 'yubikey' et al is that miniaturization of the keychain/card variety is fundamentally antithetical to genuine security.

joecool: asciilifeform: have you looked at yubikey neo yet?

joecool: asciilifeform: i need to play with the yubikey neo implementation of bip32

Mats_cd03: isnt this inferior compared to yubikey

joecool: i'm using 4096-bit RSA for the forseeable future, but ecdsa seems attractive if i can write a javacard implementation to work on my yubikey neo

Jere_Jones: The yubikey can hold a static password up to 64 characters long. 200+? 4 yubikeys that you have to use in the right order?

pankkake: so… more expensive than a yubikey but only works with mtgox

arij: does anyone know how to add a yubikey to btct.co

freeroute: but the only safe alternative is to buy a Yubikey (= spending moneys)

dexX7_: a new yubikey can be used without restrictions

arij: can i just buy a new yubikey? are they easy to set up?

arij: can i use my mtgox yubikey at other places such as btc-tc

pankkake: however there are other uses of a yubikey: https://www.yubico.com/2012/12/yubikey-neo-openpgp/ http://undeadly.org/cgi?action=article&sid=20130616112437

Duffer1: why yubikey if you already google auth?

Rulother_: Do any of you use Yubikey?

kakobrekla: i have yubikey

jborkl: Hey guys, lets play hide the Yubikey OK, not gay or anything this is for national security

jborkl: there are only so many places to hide your Yubikey in the Sauna

mircea_popescu: anyway, as you say. mtgox does not talk to yubikey, it talks to teh computor.

asciilifeform: someone should sit with the chump, and patiently explain that mtgox doesn't talk to your yubikey. it talks to your idiot consumer pc that happens to have a yubikey plugged in, and a display that can output whatever your new owner wants it to.

asciilifeform: so it is entirely conceivable that a yubikey-enabled gox diddler exists but has managed to infect only paupers

asciilifeform: mircea_popescu: you evil tempter, you just made me want to transfer btc to mtgox just to buy their yubikey.

MJR__: yubikey to trade or transfer?

jborkl: That is why I use 2fa and a yubikey

kakobrekla: i forgot my yubikey at home

jborkl: hen I signed up(right after the hack) they gave me a free yubikey- free shipping

jurov: as you issued the yubikey

jurov: yubikey creates a pseudorandom string and you know what the strign is going to be, no?

MJR_III: i still think that you could use the yubikey method

MJR_III: you know how yubikey or any of those authenticators work?

Anduck: mtgox charges 30 usd for yubikey

ZedsterX: Mt.gox yubikey only works for them

Anduck: do you get free yubikey from mtgox?

nefario1: it runs through yubikey

usagi: send with yubikey, etc.

usagi: Sign in with a yubikey

nefario: ill add yubikey next month

usagi: As soon as GLBSE replaces the submit acttion button with a yubikey textarea I will be able to sleep at night

usagi: I'm planning on giving customers of hotwallet a free yubikey

usagi: I'm working on a non-yubikey + password and/or google auth login

usagi: mircea do you have a yubikey?