[Cryptography] So please tell me. Why is my solution wrong?

Ron Garret ron at flownet.com
Thu Feb 16 14:27:23 EST 2017


On Feb 16, 2017, at 8:15 AM, Bill Cox <waywardgeek at gmail.com> wrote:

> On Wed, Feb 15, 2017 at 2:24 PM, John Levine <johnl at iecc.com> wrote:
> 
> They are available right now.  I know this because I am holding two of
> them in my hand.  One is a U2F key by Yubico, the other is a Plug-Up
> security key.  They both implement an open spec from the FIDO
> alliance.
> 
> Full disclosure: other people in my group at work develop and maintain software for this key, so I can't say I am entirely disinterested in whether or not it becomes a commercial success.  However, I have no financial incentive to promote this:
> 
> https://www.yubico.com/product/yk4nano/
> 
> I think having the key so small that it fits entirely inside your computer's USB port is revolutionary.   It becomes part of your computer rather than something you have to carry around.  It nearly eliminates the PITA factor of all the other keys I've used.
> 
> Using FIDO, the web site makes your key blink, and then your touch it.  That's it.  It defeats most phishing and even provides an addition layer of defense for your online data in the case that malware compromises your computer.  People will argue that this extra layer is useless, but I think every layer is welcome.

The “extra layer” (assuming you mean the LED and user input button) is actually crucial to security.  Without it, U2F adds zero security because an attacker who has compromised your client machine can access the dongle just as easily as you can.  Pushing the button is the only thing the attacker cannot do without your help, so that is the lynchpin of U2F’s security.  AFAICT the Yubikey Nano doesn’t have it, which makes it worse than useless (worse because it provides the illusion of security without any actual security).

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170216/cf08d13c/attachment.html>


More information about the cryptography mailing list