|
|
Subscribe / Log in / New account

Security

Fedora accepting YubiKey one-time passwords

By Jake Edge
October 13, 2010

Some Fedora hosts and services have recently added a new authentication mechanism which uses a USB device that generates one-time passwords (OTPs). The YubiKey doesn't require any client-side software because it acts like a USB keyboard. In addition, the server-side authentication software, as well as a client-side utility to update the YubiKey, are open source. Like most security measures, hardware-based OTPs have advantages and disadvantages. But, when an OTP is combined with another authentication method—a regular password for example—it can provide a two-factor authentication that is much more secure.

YubiKeys came into Fedora to provide two-factor authentication for access to sensitive servers, like those that contain the keys for signing Fedora packages. Now that the infrastructure team has gotten that working, it decided to allow other Fedora users to use their own YubiKeys for single-factor authentication to things like ssh access to fedorapeople.org or signing in to the Fedora Community site.

The YubiKey uses symmetric encryption, which means that both the YubiKey and the server must share an AES secret key. The YubiKey comes from the factory with a pre-installed key that is shared with Yubico's server. For Fedora's purposes, users will run fedora-burn-yubikey when they first get the device. That script will generate a key on the server that also gets burned into the YubiKey.

To use the device, users plug it into the USB port on the machine they are using, put the cursor in the password prompt field, and press a button on the YubiKey. That will generate an OTP and a carriage return into the field. The OTP contains a serial number that gets incremented each time the YubiKey is used. Invalidating an exposed (but unused) OTP is done by properly authenticating with the server, thus incrementing the serial number past the exposed password.

The server ensures that each password can only be used once by tracking the serial number for each AES key it knows about. Even if an attacker were able to capture the AES key somehow—the YubiKey device has no means to read it out directly—he must also use a serial number that is greater than the last one used by the owner. If that happened, the next legitimate attempt to authenticate using the YubiKey would fail (because its serial number is now too low), which would be a clear indication of key compromise.

Obviously, physical security of the YubiKey is paramount. An attacker that gets access to it for even a short time can easily—largely undetectably—authenticate as the owner. Since OTPs that have been used are no longer valid, sniffing password entry on the wire or "keystroke" logging won't be of any assistance to an attacker—by the time the password is known, it's no longer useful.

After Mike McGrath announced YubiKey support on the fedora-devel mailing list, there was some discussion of the device and possible attacks against it. One of the concerns raised was with the potential sharing of AES keys between servers. If a user wanted to use the same device with multiple YubiKey-enabled sites, they would need to share their AES key with all of the servers. If any one of those servers was compromised, it would allow an attacker to authenticate to any of the others.

For a number of reasons, this attack scenario was considered to be unlikely. It would take explicit action by the user—or a compromised client machine—when writing the AES key to the YubiKey to record the key before it gets written. Presumably users who are purchasing YubiKeys will be security-conscious enough to recognize that it is a bad idea to record the AES key. McGrath also made the window of exposure quite small:

I had this [attack] in mind when I designed the burn script. The key never touches the drive during the burning process [so the] attack window here, while real, is very tiny. Certainly safer then typing your username and password everywhere all the time :)

In addition, newer YubiKeys allow for two different keys to be stored in them and will generate OTPs from one or the other based on how long the button is pressed. Toshio Kuratomi puzzled out the magic incantation required to write the second key and observed that holding the button for longer than 2.5 seconds would send an OTP based on the second key. Using that feature would allow sharing the device with two separate services, but if YubiKey OTPs become more popular, some other scheme for handling multiple sites will probably be required.

In some ways, this is all just a prelude to more widespread use of multi-factor authentication. In the next few years, OTPs are likely to become much more widely used for accessing sensitive sites and applications. The YubiKey idea is interesting, particularly because it doesn't require client-side support and doesn't lock users into some proprietary OS. A similar device that used public key, rather than symmetric, encryption would be worth trying as well.

Comments (10 posted)

Brief items

Security quotes of the week

There is one type of surveillance that genuinely would be rendered impractical by widespread use of secure communications, however. Known individual suspects can be targeted by other means, but if the government wanted to do wholesale surveillance, in which the whole communications stream is automatically analyzed and filtered by artificial intelligence software hunting for suspicious communications by unknown parties -- as several accounts have suggested the National Security Agency did under the warrantless wiretapping program authorized by President George W. Bush -- they really would need a back door at the system level. But while governments may consider it a bug when network architecture renders such sweeping surveillance infeasible, citizens should probably regard it as a feature.
-- Julian Sanchez

Except that we don't forget about it. Over time, these enigmatic warnings do al-Qaida's work for them, scaring people without cause. Without so much as lifting a finger, Osama Bin Laden disrupts our sense of security and well-being. At the same time, they put the U.S. government in the position of the boy who cried wolf. The more often general warnings are issued, the less likely we are to heed them. We are perhaps unsettled or unnerved, but we don't know what to do. So we do nothing-and wish that we'd been told nothing, as well.
-- Anne Applebaum in Slate on vague security warnings

Comments (1 posted)

Schneier on Stuxnet

Here's a fairly comprehensive look at what's known about the Stuxnet worm by Bruce Schneier. "Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done."

Comments (33 posted)

Flaw in libc implementation threatens FTP servers (The H)

Anybody running an anonymous FTP server may want to have a look at this article in The H about a newly-disclosed denial of service problem. "The problem exists because GLOB_LIMIT, a feature added in 2001 to limit the amount of memory used by the glob() function is ineffective. Globbing, as it is called, calls on the glob() function to match wildcard patterns when generating a list of matching file names. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result."

Comments (8 posted)

Gilmore on the "computer health certificate" plan

Worth a read: this response by John Gilmore to the computer health certificate idea being pushed by a Microsoft researcher. "I'd recommend merely ignoring his ideas til they sink like a stone. But it looks like Intel and Microsoft are actively sneaking up on the free Internet and the free 10% of the computer market by building in these techniques and seeking partnerships with governments, ISPs, telcos, oligopolists, etc to force their use. So some sort of active opposition seems appropriate."

Full Story (comments: 55)

IcedTea6 1.7.5, 1.8.2, 1.9.1 Released

A number of vulnerabilities have been fixed in IcedTea6 1.7.5, IcedTea6 1.8.2 and IcedTea6 1.9.1. Click below for a list of the security issues fixed in these releases, which include man-in-the-middle attacks, code execution, and more.

Full Story (comments: none)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2010-2883 CVE-2010-2887 CVE-2010-2889 CVE-2010-2890 CVE-2010-3619 CVE-2010-3620 CVE-2010-3621 CVE-2010-3622 CVE-2010-3623 CVE-2010-3624 CVE-2010-3625 CVE-2010-3626 CVE-2010-3627 CVE-2010-3628 CVE-2010-3629 CVE-2010-3630 CVE-2010-3631 CVE-2010-3632 CVE-2010-3656 CVE-2010-3657 CVE-2010-3658
Created:October 11, 2010 Updated:January 21, 2011
Description: From the Adobe security advisory:

Critical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883, referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash Player Security Bulletin APSB10-22, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Alerts:
Gentoo 201101-08 acroread 2011-01-21
SUSE SUSE-SA:2010:048 acroread 2010-10-11
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
openSUSE openSUSE-SU-2010:0706-1 acroread 2010-10-11

Comments (none posted)

kernel: denial of service

Package(s):kernel-rt CVE #(s):CVE-2010-3067
Created:October 8, 2010 Updated:March 28, 2011
Description: From the CVE entry:

Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.

Alerts:
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Mandriva MDVSA-2011:051 kernel 2011-03-18
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Mandriva MDVSA-2011:029 kernel 2011-02-17
SUSE SUSE-SA:2011:008 kernel 2011-02-11
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
Red Hat RHSA-2011:0007-01 kernel 2011-01-11
MeeGo MeeGo-SA-10:38 kernel 2010-10-09
openSUSE openSUSE-SU-2011:0003-1 kernel 2011-01-03
openSUSE openSUSE-SU-2011:0004-1 kernel 2011-01-03
Fedora FEDORA-2010-18983 kernel 2010-12-17
Mandriva MDVSA-2010:257 kernel 2010-10-29
SUSE SUSE-SA:2010:060 kernel 2010-12-14
openSUSE openSUSE-SU-2010:1047-1 kernel 2010-12-10
Fedora FEDORA-2010-18432 kernel 2010-12-02
Debian DSA-2126-1 linux-2.6 2010-11-26
CentOS CESA-2010:0839 kernel 2010-11-09
Red Hat RHSA-2010:0839-01 kernel 2010-11-09
CentOS CESA-2010:0779 kernel 2010-10-25
Ubuntu USN-1000-1 kernel 2010-10-19
Red Hat RHSA-2010:0779-01 kernel 2010-10-19
Red Hat RHSA-2010:0758-01 kernel-rt 2010-10-07

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2010-2960 CVE-2010-2962 CVE-2010-3079 CVE-2010-3310
Created:October 13, 2010 Updated:May 10, 2011
Description: From the SUSE advisory:

CVE-2010-2960: local users could crash the system by causing a NULL deref in the keyctl_session_to_parent() function

CVE-2010-2962: local users could write to any kernel memory location via the i915 GEM ioctl interface

CVE-2010-3079: local users could crash the system by causing a NULL deref in ftrace

CVE-2010-3310: local users could corrupt kernel heap memory via ROSE sockets

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Oracle ELSA-2012-2001 kernel-uek 2012-01-25
Oracle ELSA-2012-2001 kernel-uek 2012-01-25
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Mandriva MDVSA-2011:051 kernel 2011-03-18
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Mandriva MDVSA-2011:029 kernel 2011-02-17
SUSE SUSE-SA:2011:008 kernel 2011-02-11
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
Ubuntu USN-1041-1 kernel 2011-01-10
MeeGo MeeGo-SA-10:38 kernel 2010-10-09
Fedora FEDORA-2010-18983 kernel 2010-12-17
SUSE SUSE-SA:2010:060 kernel 2010-12-14
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Fedora FEDORA-2010-18432 kernel 2010-12-02
Debian DSA-2126-1 linux-2.6 2010-11-26
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
SUSE SUSE-SA:2010:052 kernel 2010-11-03
openSUSE openSUSE-SU-test-2010:36579-1 Kernel Module Packages 2010-11-03
openSUSE openSUSE-SU-2010:0895-2 Kernel 2010-11-03
SUSE openSUSE-SU-2010:0895-1 kernel 2010-10-27
openSUSE openSUSE-SU-2010:0738-1 Linux Kernel 2010-10-18
openSUSE openSUSE-SU-2010:0734-1 kernel 2010-10-18
openSUSE openSUSE-SU-2010:0720-1 kernel 2010-10-13
Ubuntu USN-1000-1 kernel 2010-10-19
SUSE SUSE-SA:2010:051 kernel 2010-10-15
SUSE SUSE-SA:2010:050 kernel 2010-10-13

Comments (none posted)

MRG Messaging: denial of service

Package(s):MRG Messaging CVE #(s):CVE-2010-3083 CVE-2010-3701
Created:October 8, 2010 Updated:October 14, 2010
Description: From the Red Hat advisory:

A flaw was found in the way SSL connections to the MRG Messaging broker were handled. A connection (from a user or client application) to the broker's SSL port would prevent the broker from responding to any other connections on that port, until the first connection's SSL handshake completed or failed. A remote user could use this flaw to block connections from legitimate clients. Note that this issue only affected connections to the SSL port. The broker does not listen for SSL connections by default. (CVE-2010-3083)

A flaw was found in the way the MRG Messaging broker handled the receipt of large persistent messages. If a remote, authenticated user sent a very large persistent message, the broker could exhaust stack memory, causing the broker to crash. (CVE-2010-3701)

Alerts:
Red Hat RHSA-2010:0757-01 MRG Messaging 2010-10-07
Red Hat RHSA-2010:0756-01 MRG Messaging 2010-10-07

Comments (none posted)

openswan: code execution

Package(s):openswan CVE #(s):CVE-2010-3308 CVE-2010-3302
Created:October 11, 2010 Updated:November 17, 2010
Description: From the CVE entries:

Buffer overflow in programs/pluto/xauth.c in the client in Openswan 2.6.26 through 2.6.28 might allow remote authenticated gateways to execute arbitrary code or cause a denial of service via a long cisco_banner (aka server_banner) field. (CVE-2010-3308)

Buffer overflow in programs/pluto/xauth.c in the client in Openswan 2.6.25 through 2.6.28 might allow remote authenticated gateways to execute arbitrary code or cause a denial of service via long (1) cisco_dns_info or (2) cisco_domain_info data in a packet. (CVE-2010-3302)

Alerts:
Mageia MGASA-2012-0300 openswan 2012-10-20
Red Hat RHSA-2010:0892-01 openswan 2010-11-16
Fedora FEDORA-2010-15508 openswan 2010-09-30
Fedora FEDORA-2010-15516 openswan 2010-09-30

Comments (none posted)

subversion: restriction bypass

Package(s):subversion CVE #(s):CVE-2010-3315
Created:October 11, 2010 Updated:February 16, 2011
Description: From the Debian advisory:

Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn module of subversion, a version control system, is not properly enforcing access rules which are scope-limited to named repositories. If the SVNPathAuthz option is set to "short_circuit" set this may enable an unprivileged attacker to bypass intended access restrictions and disclose or modify repository content.

Alerts:
openSUSE openSUSE-SU-2013:1869-1 subversion 2013-12-13
Red Hat RHSA-2011:0258-01 subversion 2011-02-15
Ubuntu USN-1053-1 subversion 2011-02-01
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
openSUSE openSUSE-SU-2010:1042-1 subversion 2010-12-10
Fedora FEDORA-2010-16115 subversion 2010-10-11
Fedora FEDORA-2010-16136 subversion 2010-10-11
Mandriva MDVSA-2010:199 subversion 2010-10-12
Debian DSA-2118-1 subversion 2010-10-08

Comments (none posted)

wireshark: stack overflow

Package(s):wireshark CVE #(s):CVE-2010-3445
Created:October 13, 2010 Updated:April 19, 2011
Description: From the Mandriva advisory:

It was discovered that the ASN.1 BER dissector in wireshark was susceptible to a stack overflow.

Alerts:
Gentoo 201110-02 wireshark 2011-10-09
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
CentOS CESA-2011:0370 wireshark 2011-04-14
CentOS CESA-2011:0370 wireshark 2011-03-22
Red Hat RHSA-2011:0370-01 wireshark 2011-03-21
Fedora FEDORA-2011-2620 wireshark 2011-03-04
Fedora FEDORA-2011-2632 wireshark 2011-03-04
openSUSE openSUSE-SU-2011:0010-2 wireshark 2011-01-12
SUSE SUSE-SR:2011:001 finch/pidgin, libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple, supportutils, wireshark 2011-01-11
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0010-1 wireshark 2011-01-04
Red Hat RHSA-2010:0924-01 wireshark 2010-11-30
Debian DSA-2127-1 wireshark 2010-11-28
Mandriva MDVSA-2010:200 wireshark 2010-10-13

Comments (none posted)

xpdf: code execution

Package(s):xpdf CVE #(s):CVE-2010-3702 CVE-2010-3704
Created:October 8, 2010 Updated:April 19, 2011
Description: From the Red Hat advisory:

An uninitialized pointer use flaw was discovered in Xpdf. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3702)

An array index error was found in the way Xpdf parsed PostScript Type 1 fonts embedded in PDF documents. An attacker could create a malicious PDF file that, when opened, would cause Xpdf to crash or, potentially, execute arbitrary code. (CVE-2010-3704)

Alerts:
Gentoo 201402-17 xpdf 2014-02-18
Gentoo 201310-03 poppler 2013-10-06
Mandriva MDVSA-2012:144 tetex 2012-08-28
Scientific Linux SL-tete-20120823 tetex 2012-08-23
Oracle ELSA-2012-1201 tetex 2012-08-23
CentOS CESA-2012:1201 tetex 2012-08-23
Red Hat RHSA-2012:1201-01 tetex 2012-08-23
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
openSUSE openSUSE-SU-2011:0337-1 libreoffice 2011-04-18
openSUSE openSUSE-SU-2011:0336-1 libreoffice 2011-04-18
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
openSUSE openSUSE-SU-2010:1091-1 xpdf 2010-12-23
Debian DSA-2135-1 xpdf 2010-12-21
SUSE SUSE-SR:2010:023 libxml2, tomboy, krb5, php5, cups, java-1_6_0-openjdk, epiphany, encfs 2010-12-08
SUSE SUSE-SR:2010:022 gdm, openssl, poppler, quagga 2010-11-30
openSUSE openSUSE-SU-2010:0976-1 poppler 2010-11-25
Slackware SSA:2010-324-02 poppler 2010-11-22
Slackware SSA:2010-324-01 xpdf 2010-11-22
Mandriva MDVSA-2010:231 poppler 2010-11-12
Mandriva MDVSA-2010:230 poppler 2010-11-12
Mandriva MDVSA-2010:229 kdegraphics 2010-11-12
Mandriva MDVSA-2010:228 xpdf 2010-11-12
Red Hat RHSA-2010:0859-03 poppler 2010-11-10
Fedora FEDORA-2010-16705 xpdf 2010-10-27
Fedora FEDORA-2010-16662 xpdf 2010-10-27
Fedora FEDORA-2010-16744 xpdf 2010-10-28
CentOS CESA-2010:0755 cups 2010-10-10
Red Hat RHSA-2010:0752-01 gpdf 2010-10-07
Fedora FEDORA-2010-15911 poppler 2010-10-08
CentOS CESA-2010:0749 poppler 2010-10-10
Red Hat RHSA-2010:0754-01 cups 2010-10-07
Red Hat RHSA-2010:0755-01 cups 2010-10-07
Red Hat RHSA-2010:0750-01 xpdf 2010-10-07
Ubuntu USN-1005-1 poppler 2010-10-19
Fedora FEDORA-2010-15981 poppler 2010-10-08
Debian DSA-2116-1 poppler 2010-10-12
CentOS CESA-2010:0753 kdegraphics 2010-10-10
CentOS CESA-2010:0753 kdegraphics 2010-10-10
CentOS CESA-2010:0752 gpdf 2010-10-10
CentOS CESA-2010:0750 xpdf 2010-10-10
CentOS CESA-2010:0751 xpdf 2010-10-10
CentOS CESA-2010:0754 cups 2010-10-10
Red Hat RHSA-2010:0753-01 kdegraphics 2010-10-07
Red Hat RHSA-2010:0749-01 poppler 2010-10-07
Red Hat RHSA-2010:0751-01 xpdf 2010-10-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds