[onerng talk] Open hardware security key?

Paul Campbell paul at taniwha.com
Mon Apr 27 19:53:29 BST 2015


On Mon, 27 Apr 2015 07:12:20 Bill Cox wrote:
> I figure you guys already know what's going on in this space.  I am a fan
> of the Yubikey, but since they've made it impossible to load your own keys,
> you have to trust both Yubikey and NXP 100%.  They wont disclose how their
> RNG works, and Yubikeys in the past have been known to generate the _same_
> secret keys.

I've supported mooltipass (https://www.indiegogo.com/projects/mooltipass-open-source-offline-password-keeper - I'm waiting for mine) 

I'm in two minds about competing with another open source project - on one 
hand there's only so much mind share (and money) to go around it may not be 
viable for anyone to have competing projects - on the other hand I figure we 
need lots of options, at least one of us is bound to get it right :-) this 
stuff is hard

> One great features of the Yubikey is it's touch sensor.  It refuses to do
> signing or other operations without a human present to poke it.  This
> rate-limits any malware attack greatly.  It also fits entirely into the USB
> port, so it effectively becomes part of the machine without having to open
> the case.  I want to use it with a password manager so that my real
> password never leaves the machine, and my real password can't be used to
> PWN my accounts, and my key-hashed password can't be generated without the
> key.

making something that small is also hard - it means some rather special chip 
packaging, you  can't use a standard contract manufacturer - you need volume 
to make something like that work commercially - interestingly the NXP chip is 
8051 based (but running a jvm) it's probably intended for smart cards so it 
will be available in novel (likely bare die) packaging options that allow one 
to do that sort of thing

	Paul



More information about the Discuss mailing list