❦ C-Keen ❦ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

The non-auditability of YubiKeys' design makes me a bit nervous.

@cwebber If you start there then there's no end to it. At one of the last CCC congresses I saw a talk about a underhanded manufacturing process, where whole logic blocks are hidden in deeper PCB layers and cannot be seen by x-ray...

@benhamill @ckeen I'm having a bit of a hard time parsing this one... could you elaborate?

❦ C-Keen ❦ @ckeen

@cwebber @benhamill The idea the researches presented is that you hide smaller logic pieces not part of the schematics in inner layers of the design in such a way that the bigger components on the outer layers oovershadow them so you would not find them using x-rays.

My argument is that purely an open schematics does not give you a sufficient root of trust, you would need to manufacture the board yourself or by someone you trust.

· Web · 3 · 6

@ckeen @benhamill Hoo! Yeah... hopefully we can get tot he point where bottom -up manufacturing is like, a real feasible thing

Still, I think an open design *helps* in this thing, even if not perfect.

@cwebber @benhamill Yes, baby steps help. The sooner we get rid of this secrecy nonsense the better.

@elomatreb @benhamill @ckeen @cwebber It's open source. It supports RSA and ECC with standard curves. Their symmetric algorithm is AES-256-GCM. They are currently working on including post-quantum algorithms.

@cwebber @ckeen @benhamill @elomatreb Unfortunately as a US product they fall under export controls for the physical devices.

@seanl You'll notice that this is also exactly the feature set supported by browsers, making the statement "Military Grade" completely useless...

@elomatreb Agreed it's just marketing-speak. Seems like an odd thing to get hung up on though.

@elomatreb The main things I'm using my #YubiKey for right now are U2F and TOTP over NFC. AFAICT #OnlyKey's U2F support only works with Chrome, which I only use for work, and it doesn't have NFC at all, so while I supported the project and carry one on my keyring, I haven't ended up actually using it since memorizing the small number of #Diceware passphrases I won't use a software password manager for isn't that hard. Hoping it becomes more useful in the future.

@elomatreb The problem is that a physical token with secure PIN entry is best suited for single-factor zero-knowledge authentication. #OnlyKey could theoretically do both password and U2F or TOTP but again only with Chrome/Chromium, and of those only U2F helps with MITM. The browser's built-in password manager may well be the best MITM mitigation aside from U2F.