Re: Yubikeys are now supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2010-10-07 07:25:47 PM, Mike McLean wrote:
> On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote:
> > I have one and I've played with it in fedora. There is however an important
> > catch. The server and the yubikey share the same AES symmetric key. This means
> > that if the yubikey is used for multiple sites by one user, that user is sharing
> > is his "private key" over various external sites.
> >
> > So if fedoraproject would accept it, and the same user uses this yubikey for
> > another site, and that other site gets hacked, then fedoraproject could be
> > hacked as well.
> >
> > I guess in a way it is like using the same password, but people might not be
> > thinking of that when they have a "device" on them that they use.
> 
> Wow, that's a serious weakness. Are we sure about this?
In order for this to happen, the user would have to explicitly take down
the generated AES key while it is being written to the key and then
submit it to the other site.  I don't think this is really something we
need to worry about.

Thanks,
Ricky

Attachment: pgpsSfVVcVu3Z.pgp
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux