Comments (4)
This already supports second factor on top of the stored challenge. What's wrong with that?
from mkinitcpio-ykfde.
Challenge is stored in clear available to anyone. If someone has access to yubikey, the response and at least half of luks passphrase is avalaible . That means it works same as static password stored in yubikey. If second factor is used as challenge, access to yubikey alone gives nothing. Also stored challenge doesn't have any useful purpose if second factor is needed anyway and can be used as challenge instead.
So I propose that stored challenge will be used only in one factor case.
For two factor user password will be used as both challenge and second half of luks passphrase.
from mkinitcpio-ykfde.
Challenge is stored in clear available to anyone. If someone has access to yubikey, the response and at least half of luks passphrase is avalaible . That means it works same as static password stored in yubikey.
No. Because you need Yubikey and challenge at the same time and place.
If second factor is used as challenge, access to yubikey alone gives nothing. Also stored challenge doesn't have any useful purpose if second factor is needed anyway and can be used as challenge instead.
Wrong. The challenge (and LUKS passphrase) is changed on every boot. So consider the stored challenge is a dynamic salt: If anybody manages to calculate the response (aka LUKS passphrase) it is invalid on next boot.
So I propose that stored challenge will be used only in one factor case.
No. See above.
For two factor user password will be used as both challenge and second half of luks passphrase.
That does not bring any benefit but extra code complexity.
from mkinitcpio-ykfde.
Challenge is stored alongside encrypted disk so it doesn't count as a factor. Without access to this data everything is pointless. Having yubikey is enough to get correct response.
Changing the challenge doesn't bring any additional security as still possessing same yubikey give you valid response. You (and attacker) don't have to know anything about challenge (if stored) and response as it's working automatically with correct yubikey.
Also one time access to offline encrypted data (which allows for copying luks header) or online decrypted data (which allows for dumping luks encryption key directly with dmsetup table --showkeys
)is enough for an attacker to save and use current challenge/key forever unless you reencrypt whole disk with different luks key. Changing challenge/response doesn't help at all with above. I already had this discussion in cornelinux/yubikey-luks#1 (comment) .
One Time Password concept is only useful where independent oracle exist i.e. remote server. It's not useful in case of physical disk encryption when decryption is done offline with environment controlled by whoever has access to data.
Also this adds actual extra code complexity and in worst case scenario can break things. Moreover if stored challenge is damaged or lost, luks key cannot be decrypted with valid yubikey and valid password.
I already explained benefits of using password as challenge. I didn't look at code but as password logic already exist it's a matter of moving it to the place before challenge-response generation scheme and providing it as input instead of what is stored in config file.
from mkinitcpio-ykfde.
Related Issues (20)
- [Arch Linux] [Bug] Unable to build or run mkinitcpio after updating json-c package HOT 6
- Seg fault HOT 6
- Current master segfaults in ykfde.c HOT 3
- gcc 8: error: 'strncpy' specified bound 108 equals destination size [-Werror=stringop-truncation] HOT 4
- Can not Find /etc/crypttab.initramfs Antergos HOT 1
- Insecure random generator used HOT 6
- ykfde.service not available during boot - Fedora 30 HOT 4
- /usr/lib/udev/ykfde helper executed before filesystem device is ready
- Works with RHEL8? HOT 17
- ykfde-worker failed to start HOT 5
- Fails to build from aur HOT 4
- initramfs bad magic HOT 1
- Is it possible to (re)enable numlock for entering the PIN? HOT 1
- Grub initrd injection doesn't work on Fedora HOT 2
- Could not update passphrase for key slot n.
- Feature request: BIO support HOT 3
- feat: commandline calculate key HOT 1
- How to add /boot/ykfde-challenges.img to mkinitcpio UKI? HOT 2
- Open encrypted volume from already booted system. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mkinitcpio-ykfde.