YubiKey – One-time Password and Authentication Device

April 26, 2008 – 10:23 AM

It works seamlessly with any hardware and operating system combination supporting USB keyboards such as Windows, MacOS, Linux and others. The Key generates and sends unique time-variant authentication codes by emulating keystrokes through the standard keyboard interface. The computer to which the Key is attached receives this authentication code character by character just as if it were being typed in from the keyboard – yet it’s all performed automatically. This process allows the Key to be used with any application or Web-based service without any need for special client computer interaction or drivers.

The YubiKey differs from traditional authentication tokens based on time-variant codes in that it needs no battery and therefore does not rely on an absolute time generated by an accurate time source. No battery means unlimited shelf life, no synchronization and customer support issues, and enables significant cost reduction.

Identity

The YubiKey provides a means of identity that allows the device to identify itself without the user having to provide the identity manually.

Authentication and singularity

Pivotal for any hardware authentication token is singularity, i.e. that an identity cannot be copied and/or be adversely used without knowledge of the legitimate user. Static identification schemes, such as username/password are highly vulnerable to eavesdropping and what has been known as “Phishing”. Even “predictable” schemes, such as one-time-pad cards have shown vulnerability to these threats.

The introduction of a time-variant code including a certain level of randomness, all encrypted with strong encryption, means that attacks of this type can be thwarted and singularity maintained.

The time-variant code

Different from present hardware authentication tokens, the YubiKey does not rely on a two-way challenge-response protocol, battery-powered time base, keyboard or a display.

Yet, how can a device be so secure when four of the most common security measures present in state-of-the-art authentication devices have been removed?

The YubiKey generates a unique 128-bit code at each authentication event and there is no time window during which two authentication codes are equal. All of the unique codes are encrypted with AES-128 and is then encoded to “readable form”, where the resulting string is transmitted in its full length.

The main components of the unique code comprise:

1. A hidden identity field to verify the decrypted result to a non-published identity.
2. A volatile counter is incremented by one for each code that has been generated. This code is reset at each power-up.
3. A non-volatile counter is incremented by one for each power-up event. The value of this counter is preserved even when power is lost.
4. A non-predictable counter value is fed by a time-base that is highly device and session dependent. Together with a server-based authentication module, this counter can provide a strong protection against “Phishing” attempts.
5. A random seed.
6. A simple checksum.

Together, these fields are encrypted using a 128-bit key. A 128-bit number is larger than a 3 followed by thirty-eight zeroes. Combined with the fact that a hacker has so little information about the plaintext, cryptanalysis is futile assuming the industry standard AES-128 is secure.

Device varieties and integration with legacy applications

Two types of Keys are available– Basic and Plus. Basic offers baseline security where release of the time-variant code is controlled from the keyboard of the computer to which the YubiKey is connected. By monitoring the Caps Lock indicator LED, the device can be triggered with a quick double-click on the Caps Lock button.

YubiKey Plus offers increased protection against advanced Trojans, where the release of the time-variant code is controlled by an integrated button. This design provides a further level of confidence from a “perceived security” perspective, as the user understands that a code cannot be released without a physical action by the key holder.

YubiKey is highly flexible and can be configured to support legacy applications using one or two factor authentication. User supplied usernames and passwords can be selected to match the security requirements and fit existing screen layouts.

Optionally the Key can be pre-programmed for automatic navigation to a website. This functionality adds speed and simplicity for the user, but is limited to PC Window and national applications, as it needs to be programmed for the specific computer keyboard layout, which varies between different countries and languages.

Yubikey’s Homepage