[154032] in North American Network Operators' Group
Re: How to fix authentication (was LinkedIn)
daemon@ATHENA.MIT.EDU (Ben Jencks)
Thu Jun 21 14:13:01 2012
From: Ben Jencks <ben@bjencks.net>
In-Reply-To: <4FE348B8.4070109@armoredpackets.com>
Date: Thu, 21 Jun 2012 14:11:24 -0400
To: nanog@armoredpackets.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 21, 2012, at 12:15 PM, AP NANOG wrote:
> What if, and I am brainstorming here, what if there was a hardware =
device which plugged in via USB. It was programed (i.e verified) in =
person, such as a key signing party. The serial number of the hardware =
device was all that is stored in the "verified" database with say a =
generic email created at that time with the domain of the verifying =
group. For example, your serial number is 12345, so the email would be =
generated as 12345@foo.com. This device is hardware encrypted, and =
stores your password (priv key) in a one way encryption. Then when you =
go to a website they can ask if you are verified by foo.com. The users =
selects yes, then the website pulls the public key at that time. Then =
asks you for your pin, password, pass-phrase, whatever, and at that time =
the users clicks a pretty eye candy button in the browser which looks =
for the USB device with the serial number from the database. Once found =
it then starts a secure tunnel such as VPN (can be anything just using =
it as a methodology), and no data is transmitted until the tunnel and =
DNSSEC has been established. Once established you can surf the site as =
normal. All these connections and tunnels being setup by the browser =
using two factor authentication. What you know being the public key =
with verification from foo.com, which was also verified in person with =
the foo.com email. What you have which is the hardware token, again =
serial number verified and encrypted. Combined to give you access and =
the browser does most the work.
That's basically the Yubikey. It uses a shared key, but since you're =
relying on a trusted third party anyway it's fine if they keep the key. =
When a Yubikey is manufactured the factory default key is stored in =
Yubico's public auth service database along with the serial number. =
Anyone on the internet can then ask the service "was this OTP in fact =
generated by serial number X?" If you don't trust Yubico's service you =
can program your own key into it and run your own verification service.
The mechanics are different but I think the trust model is the same -- =
users get USB tokens identified only by serial number, and a third party =
service vouches that a signature/OTP was generated by a particular =
serial number.
-Ben=
