Yubico

Technical Description

The YubiKey

The YubiKey works seamlessly with any hardware and operating system combination supporting USB keyboards such as Windows, MacOS, Linux and others. The key generates and sends unique time-variant authentication codes by emulating keystrokes through the standard keyboard interface. The computer to which the key is attached receives this authentication code character by character just as if it were being typed in from the keyboard – yet it's all performed automatically. This process allows the key to be used with any application or Web-based service without any need for special client computer interaction or drivers. The YubiKey can be safely removed from the computer without any special eject or dismount command.

The YubiKey differs from traditional authentication tokens based on time-variant codes in that it needs no battery and therefore does not rely on an absolute time generated by an accurate time source. No battery means unlimited shelf life, no synchronization and customer support issues, and enables significant cost reduction.
 

Identity

The YubiKey provides a means of identity that allows the device to identify itself without the user having to provide the identity manually.
 

Authentication and singularity

Pivotal for any hardware authentication token is singularity, i.e. an identity cannot be copied and/or adversely used without knowledge of the legitimate user. Static identification schemes, such as username/password are highly vulnerable to eavesdropping and "Phishing". Even "predictable" schemes, such as one-time pad cards have shown vulnerability to these threats.

The introduction of a time-variant code including a certain level of randomness, all encrypted with strong encryption, means that attacks of this type can be thwarted and singularity maintained.
 

The time-variant code

Different from present hardware authentication tokens, the YubiKey does not rely on a two-way challenge-response protocol, battery-powered time base, keyboard or a display.

Yet, how can a device be so secure when four of the most common security measures present in state-of-the-art authentication devices have been removed?

The YubiKey generates a unique 128-bit code at each authentication event and there is no time window during which two authentication codes are equal. All of the unique codes are encrypted with AES-128 and is then encoded to "readable form", where the resulting string is transmitted in its full length. 

The main components of the unique code comprise:

  1. A hidden identity field to verify the decrypted result to a non-published identity.
  2. A volatile counter is incremented by one for each code that has been generated. This code is reset at each power-up.
  3. A non-volatile counter is incremented by one for each power-up event. The value of this counter is preserved even when power is lost.
  4. A non-predictable counter value is fed by a time-base that is highly device and session dependent. Together with a server-based authentication module, this counter can provide a strong protection against "Phishing" attempts. 
  5. A random seed.
  6. A simple checksum.
  7. Together, these fields are encrypted using a 128-bit key. A 128-bit number is larger than a 3 followed by thirty-eight zeroes. Combined with the fact that a hacker has so little information about the plain text, cryptanalysis is futile assuming the industry standard AES-128 is secure.

     

Integration with legacy applications

YubiKey is highly flexible and can be configured to support legacy applications using one or two factor authentication. User supplied usernames and passwords can be selected to match the security requirements and fit existing screen layouts. 

Optionally the key can be pre-programmed for automatic navigation to a website. This functionality adds speed and simplicity for the user, but is limited to PC Window and national applications, as it needs to be programmed for the specific computer keyboard layout, which varies between different countries and languages.
 

Dual functionality and static passwords

Users can easily program the YubiKey to have two independent and separate configurations. For example, one static password and a One-Time Passcode (OTP) - one for a legacy system and one for a high security validation server. All in one single YubiKey.

A static passcode can include any combination of 16 to 64 characters and/or numbers. And changing the static key to randomly generate a new code can be achieved by two presses of the button.
 

Reference Manual

» For more information, please download the YubiKey Technical Manual v2.0 here.