YubiKey, Nitrokey, USB Armory, Gnuk token…

09/02/2016

GPG smartcard

  • Offline master key
  • Subkeys
    • Encryption
    • Signing
    • Authentication

GPG smartcard

Encryption

  • Mail
  • Passwords file (the old school password manager)

GPG smartcard

Signing

GPG smartcard

Authentication

SSH agent → GPG agent

2 factor authentication (2FA/MFA)

  • HOTP/TOTP
  • FIDO U2F

HOTP/TOTP

HMAC (RFC 2104)

Keyed-hash message authentication code

Verify the data integrity and authentication of a message

$\textit{HMAC}(K, m) = H \Bigl( (K' \oplus opad) \;||\; H \bigl( (K' \oplus ipad) \;||\; m \bigr) \Bigr)$

HOTP (RFC 4226)

HMAC-based One-time Password

$\textit{HOTP}(K, C) = \textit{Truncate}(\textit{HMAC}(K, C)) \land {0x7FFFFFFF}$ $\textit{HOTP-Value} = \textit{HOTP}(K, C) \pmod {10^d}$

TOTP (RFC 6238)

Time-based One-time Password

$TC = \textit{floor}((\textit{unixtime}(\textit{now}) − \textit{unixtime}(\textit{T0})) / \textit{TS})$ $TOTP = \textit{HOTP}(K, TC)$ $\textit{TOTP-Value} = TOTP \pmod {10^d}$

FIDO U2F

FIDO U2F

Challenge-response

FIDO U2F

Phishing and MitM protection

FIDO U2F

Application-specific keys (avoid user's tracking)

FIDO U2F

Application-specific keys (avoid user's tracking)

FIDO U2F

Key generation and storage (Yubico solution)

FIDO U2F

Device cloning detection

pam_u2f

Pluggable authentication module

Go passwordless o/ || Strong authentication

PIV interface

I don't use it, but:

  • Built in support in Windows > 7
  • Code signing
  • SSH through PKCS11
  • Docker Content Trust

  • Secrets hard to compromise
  • Always with you
  • Easy to use

Questions?