Skip to content

Clarifications about YubiKey system security

2012-06-07

Recently, there was a discussion on the Bitcoin forum about the security of the YubiKey system.

As we understand the claimed problem, it is said that there would be a chance of about 1 in 65.000 to guess a valid OTP from a YubiKey. This would indeed be a very serious problem. We have verified that in the two current implementations supported by Yubico, the probability to correctly guess a valid OTP is less than 1 in 10.000.000.000.000.000.000. Considering the fact that guessing would have to be done over a network, and the latency involved in OTP validation, this is not a feasible attack. Based on what we have learned so far (see details below) we do not believe there is cause for actions for any of our customers or users.

Yubico invites further analysis of our solutions as it builds up confidence in them. We will update this blog entry as new information is available.

The vulnerability that has been described is that it is possible to create fake OTPs by trying OTPs until one of them succeed, and that this for some reason this will work with non-negligible probability. Before we proceed, we want to note that similar attacks is possible with any OTP or even password scheme, attackers can always try authentication many times. For example, with 6-digit OATH TOTP there is a 1 in a 1.000.000 probability to guess the current OTP for a particular user. We’d also like to note that nothing so far has even suggested that the AES key can be recovered.

The YubiKey algorithm is documented in the YubiKey Manual. Section 2 covers the basic steps, where a byte string is prepared and encrypted using AES in ECB mode and converted to a series of characters. Section 6 explains the details of the byte string. For more in depth discussion about security properties, see our YubiKey Security Evaluation.

The claim that has been made is that if you attempt random OTPs, validation of them would succeed with non-negligible probability. To protect against this attack, the YubiKey technology employ a couple of mechanisms. In typical scenarios, the Yubikey OTP is sent from a client to a centralized server for validation. The validation server will decrypt the OTP ciphertext to get a plaintext. Since AES in ECB mode is used, decryption will always succeed, for all random inputs. The next step is to validate the 48-bit private ID field and the 16-bit CRC value. For random inputs, the probability for the fields to match is one in 2^(48+16)=2^64. This is less than 1 in a 10.000.000.000.000.000.000. We believe this makes the attack unlikely to work in practical scenarios, since attackers rarely get a chance to attempt this many authentications. Note again that there is no risk that the 128-bit AES key is discovered this way. We are aware that CRC-16 is not cryptographic secure hash value, and this is intentional and the security of the YubiKey is not dependent on any cryptographic properties of the CRC-16 function.

The claim has been that validation software does not compare the 48-bit private ID field, turning the likelyhood of success into 1 in 2^16 or 1 in 65.536. This would be serious, but we have been unable to confirm this. Because Yubico’s server-side software is Free and Open Source (FOSS) we can provide pointers to the code and the relevant code is here for anyone to analyze. As you can see, it compares the internal identity with what is stored in the database. For the YubiCloud service Yubico employes hardware-based YubiHSMs to perform the decryption, as does several of our customers, which uses the python-pyhsm server software — however, in that scenario, the YubiHSM is responsible for performing the UID comparison. We have verified that the YubiHSM properly implement the comparison.

Finally, we’d also like to note that if a server implementation incorrectly did not perform the 48-bits internal ID comparison correctly, an attack normally result in a Denial-of-Service against the user’s YubiKey. This is because with random OTPs, the counter values will normally be far higher than what the YubiKey device has, and thus any real OTP from the YubiKey device will no longer work.

Comments are closed.