[onerng talk] Open hardware security key?
Paul Campbell
paul at taniwha.com
Mon Apr 27 19:53:29 BST 2015
On Mon, 27 Apr 2015 07:12:20 Bill Cox wrote:
> I figure you guys already know what's going on in this space. I am a fan
> of the Yubikey, but since they've made it impossible to load your own keys,
> you have to trust both Yubikey and NXP 100%. They wont disclose how their
> RNG works, and Yubikeys in the past have been known to generate the _same_
> secret keys.
I've supported mooltipass (https://www.indiegogo.com/projects/mooltipass-open-source-offline-password-keeper - I'm waiting for mine)
I'm in two minds about competing with another open source project - on one
hand there's only so much mind share (and money) to go around it may not be
viable for anyone to have competing projects - on the other hand I figure we
need lots of options, at least one of us is bound to get it right :-) this
stuff is hard
> One great features of the Yubikey is it's touch sensor. It refuses to do
> signing or other operations without a human present to poke it. This
> rate-limits any malware attack greatly. It also fits entirely into the USB
> port, so it effectively becomes part of the machine without having to open
> the case. I want to use it with a password manager so that my real
> password never leaves the machine, and my real password can't be used to
> PWN my accounts, and my key-hashed password can't be generated without the
> key.
making something that small is also hard - it means some rather special chip
packaging, you can't use a standard contract manufacturer - you need volume
to make something like that work commercially - interestingly the NXP chip is
8051 based (but running a jvm) it's probably intended for smart cards so it
will be available in novel (likely bare die) packaging options that allow one
to do that sort of thing
Paul
More information about the Discuss
mailing list