yubikey

This article on SMH made me laugh.  The government of Australia believes that we the people has rejected the  eHealth system.  They make this claim since only about 5000 people have signed up for eHealth.  It is quite ironic, since I’ve only just heard of it.

I think it is a nice idea.  I’d like to support the idea, but then I realize that I need to register for an australia.gov.au account.  Ouch… That’s not very nice.  Let me tell you why.  A long time ago, I did indeed signup for such an account.  I immediately stopped using it, because the site allocated me a user id.  I raised a concern with the website operator, and they came back saying that due to security reason, the same way a bank would allocate a random number for it’s customers, is the same reason the government operated site now also issues a random number.

So what they’re basically saying, since there is no common authentication platform on the web, we, the consumer, now have to memorize a plethora of passwords, and just to make life even more difficult, memorize all those pesky usernames as well.

I will admit, that having the username is 50% of the credentials required to gain access to a system, so they are trying to make it more secure by obfuscating the username too.  Fair enough.  The downside however is the mountain of confusion that is created with the people.

I read through the terms and conditions.  They pass on most of the responsibility onto you, the consumer, which most of them always do.  Unless you protect your username and password, they can not guarantee the safety of your data.  And if you don’t use it at least every 18 months, they will close the account.  So basically, if I don’t get sick in at least 18 months and access my eHealth records, it will get closed.  That’s not a good way to keep my data.

What is the solution?  Considering the $650 mil that the government spent on this thing, they could easily have issued everyone a Yubikey.  Not only is it secure, but it negates the need for confusing us.  If a $20 Yubikey is too expensive, you could force a strong password, and seriously, anything longer than 12 characters is more than sufficient to keep the most serious hackers at bay.  Just don’t write the password down, and don’t make it easy to guess!

I’m really not surprised at the low uptake of the eHealth system.  The government made it way too difficult to register, and maintain the user id system.  We already have to do this with our internet banking, and various other services.  Let’s not introduce yet another one.

We still have a fair bit to go before technologies like the Yubikey and OpenID becomes more mainstream.  In the meantime, let’s keep pushing back until someone in government wakes up, and stops wasting money on crazy ideas.

I’m happy to announce, that I’ve released v.0.03 of my Auth::Yubikey_Webclient perl module. You can download this module from my CPAN page.

For those who don’t know, the Yubikey is a 128 bit open-source USB authentication device.  I have one around my neck at work, in case you’re interested to see what it looks like.

v.0.03 is a somewhat significant upgrade for me.  For one, I’m no longer dependant on the Digest::SHA module, but instead, upgraded to Digest::SHA1.  You may ask why – that’s no change at all??!!  In fact, since I’m hosting my site with GoDaddy, I found that they do not offer Digest::SHA on their deluxe platoform, but do in fact have Digest::SHA1.  This was a quick change, as well as the ability to return the error code from Yubuco in the event of a non-OK response.

I like WordPress….  Honest… You may argue that there are other tools better and greater, but you know, for what I want, it is perfect.  I love the plugins.  They’ve allowed me to tweak my installation exactly the way I want it.

I’m a big fan of security, and when I heard of the Yubikey on the Security Now podcast, I knew I had to get one!  After a few weeks, my Yubikey arrived, and I started looking for some plugins that would help me secure my WordPress blog, and I came across this one by Henrik Schack.  After some email exchanges and code tweaks, I helped Henrik to get the plugin working great.  I ran it for a few weeks – no issues.

In the past, I tried to get openid working, but my plugin just didn’t want to authenticate.  It was strange.  When I entered my Verisign PIP ID, it worked, but when I tried to enter my own openid URL, it didn’t like the redirection.  I left it at that.  During the week I noticed there’s a new version of the plugin available, so I downloaded it.  After playing around for a while, I realised that my Admin SSL plugin was clashing with OpenID… I don’t know the exact reason, but after disabling Admin SSL, openid authentication is now working like a charm.

Admin SSL is a great plugin.  If you have an SSL certificate on your hosting plan, it will force your wordpress admin pages all over SSL.  Being security conscious, I wanted to do this, but after thinking about it, I realised that with openid, and using the OpenID authentication server from Yubico, I don’t need the Admin SSL plugin anymore.  So it works out great.

So right now, I only have the openid plugin running.  Henrik’s Yubikey authentication and the Admin SSL plugin are both disabled, but I still have the strength in security.  You may wonder why I’ve disabled Henrik’s plugin and went to OpenID.  I guess when you think about it, both openID and the Yubikey plugin will use the same Yubikey, so no harm in having 2 authentication methods… I wanted to extend the openid functionality to all my users too.  Not everyone has a Yubikey, but almost everyone could get an openid.

The last plugin I want to mention is Feed Locations.  If you’re a podcaster or a blogger using something like Feedburner, then this plugin is a must.  WordPress adds your RSS feed into the HTML, but if you decide to use something like Feedburner, you don’t want webspiders to detect your original feed — you want them to pickup a different feed.. This plugin helps you specify what you want that feed to be.

Allright, it’s coffee time, then time to record my next episode of podify.net

I thought I’d give you a quick update.

My very first Perl Module has been published on CPAN, and I’m happy to announce that the Yubikey_Decrypter module is available for download!  It requires the Crypt::Rijndael module.  Please note – this is not the authentication server – this is just the module required to decrypt the AES token to it’s basic components.

My module’s link has also been published on Yubico‘s website – I’m very happy about that !!

Then, I found a neat WordPress plugin for the Yubikey.  The only downside to it is you need to register an API key for every Yubikey user on your blog, which is making it a little un-userfriendly.  I tried to post a comment on the author’s blog, but everything is in Danish, making it difficult to post some feedback.  Ideally the API key side of things should be moved to a Manage page.

I’m liking this key more and more every day!

I’ve ordered my Yubikeys, and they arrived in the mail about 2 weeks ago.  So let me give you a rundown of what the Yubikey is.

The Yubikey is a hardware device.  It’s a paperthin USB “dongle”, with a single button on it.  When you plug the Yubikey into your PC, your machine will recognise it as a keyboard.  That’s right.  The Yubikey looks like a keyboard to your computer.  When you press the button on the Yubikey, a one time password gets generated, the one I have on my computer at the moment, has this nice big long password.

tflgdfcdrlilitebcrhgkrkricjklrfifvltfhublbnv

Ok, that looks like junk, but there’s logic behind it.  Here goes…

Continue reading

I finally received my 2 Yubikey‘s in the mail, and it came just in time to help me finish my Yubikey decrypter, and it’s working great.  The code is now published and ready for consumption.

The code is not made into a perl module yet, this is still on the todo list (if you have experience with making perl modules, kindly contact me!) .  It has a dependency on the Crypt::Rijndael module, so be sure to have it installed.

There is a catch.. To use this procedure, you will need to have the AES key for your Yubikey.  There are two ways to obtain it.

1) Email Yubico and ask them to send you the AES key.  You will need to provide the OTP (one time password) from your Yubikey before they can release it.

2) Reset the AES key.  Using the developer tool from the Yubico website, you can reset the AES key to anything you want.  Be careful though – if you zap your AES key, you will not be able to use the Yubikey on Yubico’s systems, thus the openid and forums etc will be inaccessable.

Watch this space.. I’m almost finished with my own Yubikey authentication server all in perl, using a mySQL database backend, as well as this exact same module for the heavy lifting.

I’ve placed my order… My Yubikey is on the way. So what is the Yubikey? It’s a multi factor USB authentication device, that when plugged into your PC look just like a keyboard. Pressing the button will unleash a security 128bit AES one time password. How cool is that?

Here’s the even cooler bit. Yubico has released some C & Java code for coding your own backend system. The kind folks at Yubico is helping me understand the protocol so that I can help you bring a perl version of the backend server.

Yubico also offers an OpenID server. Even though it’s a paper thin little USB device, it’s got the ability to secure your digital life. I’m looking forward to getting mine in the mail, and start playing around with some code to interface with this little thing. Watch this space… I’ll be giving you a good overview to how the device goes through. I’ve already had a think about some potential “security issues” that may exist, so I’m very excited to see the little device, and put it through it’s paces.

You may be familiar with RSA’s SecureID.  There’s a few differences between them.  First of, SecureID displays a 6 digit number that has to be entered manually.  This is handy for PCs that do not have USB port, or older type PCs that just don’t support the specific USB Keyboard emulation that Yubikey gives you.  The big downside to SecureID is the cost.  It’s only big corporates that can afford it.   I’d love to get my hands on a SecureID token and write code for it – the chances of that happening is very slim.   With the Yubikey I’d be able to write my own code to interface with it.