Hardware Security Tokens - Yubikey and You - Bob Shand

yeah we're already behind yeah uh good morning everybody sorry for the technical hip hiccups here uh cap just assuming that it's going to go wrong somewhere but hopefully that's the only gring that we face um so yeah unbo and and we'll just move right in um so I'm going to be talking about UBS um which are Hardware security tokens uh small little security devices like that and I've got a couple of them uh one that we're going to look around with and one that I actually use in my day-to-day life uh so maybe a quick question quick show hands who has a UB key a security token or something similar a Google Titan or whatever so

maybe about half of us okay and um I'm guessing most of you use them just for signing into your accounts or using this the the O the second Factor kind of side of it does anybody do anything with gpg or um any serve stuff on it okay blank faces okay um so yeah we're going to quickly go through uh what a UV key is um a quick look at security disclosure if it really is a security disclosure talk about the keys what they can do pass Keys passwords um and then I come from more of the developed side of the of the the house so we're talk going to talk about code signing specifically signing our G commits to provide a kind

level of trust in the source code that we're offering um so who am I um as I said my name is Bob uh I'm an industrial technology advisor with the national research Council of Canada in the Industrial Research assistance program that is a lot of mouthfuls basically say my job is to help companies do research and development um and uh NLC Ira role and remit is to support R&D uh although I'm not doing that right now because I'm on BR uh and looking after my my daughter um so uh I can point you in the right direction if you want to talk about things that is the direction um to my PO Heaven um basically I'm a big geek and a longtime

developer and I do lots of kind of random [ __ ] and yeah probably swear because I'm not work time uh you can reach me in March to my official work email address but I will not be reading any email until then was powered off and you can get me my personal email P.C and if you can read it uh on here you can check with gbg okay so I'm going to make a couple of assumptions uh that we actually have some UBS um this is primarily focused from the map side of things um and we want to do things right whatever that is it'll be somewhat Technical and uh this guide uh is a wonderful guide about how

you can go about setting up your security keys so if you just remember nothing other than that guide that will point you in a lot of the right directions so disclaimer not a security expert not a cryptographer not a lawyer these repres VI represent myself and not my employer the national research Council that probably the most important one and by beware if everything goes wrong your house burns down because of things youve tried to do here tough [ __ ] not my fault okay um so um right now how paranoid are you to know um and I think that's uh It's always important to remember I think uh that you know security is a spectrum and doing some of

this uh is maybe outside the Realms of what most normal people can do um and in including outside of the realm of a lot of developers who are are happy writing code but then get all freaked out by the security side of things so there's a happy place in the Middle where we've got kind of a little bit of the devop security kind of culture and the developer culture and and it you know I think it's always important we ask ourselves how paranoid are we being today and some of the code that I write I want to be more paranoid I want be able to demonstrate that the code I'm offering has been offered by me uh which

is why I go to the lengths of signing in some of my commits uh and I want to make sure that uh we some of those commits aren't don't have kind of bad stuff in them that I haven't actually all um so yeah this can be hard and it is very likely that we will screw up as I did last night going through my talk and trying to make sure everything worked it all went horribly wrong so don't worry if you get this wrong St you know on your first try so these UB other Hardware tokens are available um so what is a UB key it is essentially a you know relatively rugged hardware token uh this

one works over NSC and USB um and it has a bunch of apps or appls on it that allow us to do a bunch of security stuff um so that's just kind of a chunk from the from from the Wikipedia page you if you want to read it um they come in in various shapes and sizes um and with various certifications attached or not attached to them and you're likely to see them in the kind of USB C style or the ones that kind of on the on the kind of right of the screen that are kind of plugged into your laptop and used all the time uh and there's some with kind of biometric

authentication as well so kind of what they look like you SE one um so what we have well like I say there's a variety of appls that that run on these things um and there's kind of shared configurable keys so you can have like static passwords or passwords as I se the typo um or it can do kind of One Time Pad challenge response things the time based or counter based uh second factors can all be configured into the two slots that are available so I use those on uh I use one of these for my my work account work don't officially uh support these uh as part of their Lo logging mechanism but I have like a a

two a split password where I a piece that I input and then I use a Rand static password on here so I actually don't know what my full log on password is means I actually need my EK to log on which um they also have on them uh this kind of universal second factor of I2 we or then slas keys and we'll talk a little bit more in depth about those um there's an that that supports the personal identity verification standard uh for managing SS and keys on on there in accordance with that standard which is often used within US Government organizations and there's the open pgp I am going quite fast I apologize please ask me questions it's because

we've obviously had some technical challenges and I wanted to do a live demo which now happen or we have to kind of climb around um they can also be used as a as a as a hardware log on token um certainly on Mac they can on Windows you can but it's outside of my domain expertise and knowledge um I just kind of threw this slide in because it is kind of useful to know that it can actually be used as a as a log on mechanism so you can have a kind of passwordless log on experience uh if you so wish or have a second cat back um okay so we have gone and bought

our U uh or we think we have right there's a lot of crap on Amazon and if you buy it from Amazon if I buy you know something from Amazon there's you know probably these days a 50/50 chance that what I'm getting is kind of knock off right so how do we actually verify that this is an actual um well you can try you know they are efficient sold on Amazon so I don't want to really throw them on bus uh but we do want to do those steps because super P today um so if you go to the ubo SG there is a method there to verify that the key is genuine based on some um

attestation of SE that are installed on the on the device at manufacturing time um so that kind of works kind of in the browser you don't actually have to know any of the technical details uh but there is a link here that goes through how you could do all of that manual process yourself uh just if you want to to know so we got un sent to us they arrive thanks to post they come in a little green packet like that and we' um this talk was initially Ved for people who were mly less uh security minded so uh I kind of went on to a little bit you know why do we need the multiple second factors uh

and now Clint from which movie anybody yes it's very good um so well done bonus points for you um and in that clip he you know he's doing a voice uh bit he's like my voice is my password verify me which is a part of the story in so really when we look at authentication and multiple factors it's kind of something you know something you have something you are we're wanting to uh make sure that if my password gets lost out there or somebody has my password they need some of the other stuff to be able to log in and do do things okay um so in in in my case uh for a lot of my stuff uh I might have a

password and then I'll use this as a universal second Factor um and we'll touch a little bit more on um okay and yes speakers um it's actually it holds up really well I watched it last week if you haven't watched it long time or you've never watched it it actually holds up pretty well um and uh my my partner who's a vet she loved it she really enjoyed it so it's rare I think we find a kind of crypto Security movie that actually holds up well for for people who aren't sell so um I touched on this security disclosure it's maybe just an interesting sideline um will touch on because again it's on that how paranoid

are we kind of f um so so to configure these there is a tool from the manufacturer up Cod and that allows you to turn on and off various features or configure pins passcodes and other features of the device um and you can uh those links there show you how you can configure the device and the GitHub there has one of the apps this unod manager uh there and um IOD they actually have a list of all of cod signings and identities that they use and so being somewhat Paranoid on the day that I was developing this talk I downloaded all of these uh this new version of The Tool uh which there are newer versions since then this was back

in 2022 when I did this um and it and shipped with a Mac installer making it easier for people to to install um Turned out it was actually a broken uh but rapidly or fixed so they shipped I think you look here um uh a Mac a package file PKG and a signature without signature anyway they shipped something that was an installer which they hadn't previously done um because I am somewhat paranoid I decided to check all of the serves that because they list them on their website I decided to go and check all of them um and I use This brilliant if you're on a map This brilliant app called suspicious package that allows you to

examine all of the signing certificates on the map or or of that package file and essentially you end up with a there's a chain of Sears from the the auor of the package uh through the Apple intermediate developer Sears up to Apple worldwide developer Sears and and their whole pki infrastructure the idea being that demonstrate that it um hasn't been tamped with but I noticed that the fingerprint of the installer as listed there didn't match the one that was on the website so it raise the raise the flag for um was it an oversight or was it malicious who knows but I think in the security realm we often have it just takes that one

Audi that seems strange and it inquisitiveness and that that uh that that separates a Security Professionals and people uh from from kind of regular users right it's like huh that something's off so something was off so I dug into it and again somewhat technical uh I was able to go and see that some of the other releases of the package actually had uh gpg signatures so I checked all of those the back history all of this also seem to to to look okay um iend I expanded the package file and if as you as you dive into the Mac ecosystem you can find all these weird tools that you've never used for like 99% of the time uh but essentially

I was able to extract a table of contents which has another search chain that was like pen encoded or whatever so you you were able to kind of pull out from that with a little bit of manual copy pasting so on and actually showed the the chain was there and that the key had expired or was a new key with whatever dates so on so forth and um so it turned out the installer package was was the one that was wrong the actual uh code signed executable still had the correct fingerprints for the keys that they published you and so there's just some of the tools I use to kind of pull that information out um and there's a

slide a little later on kind of goes into detail about Max cign architecture so long story short the certificate that expired they issued a new one using the same private key they just hadn't updated website so I let them know they updated the website everything seems reasonable so that's the the security but they been up for a few months right nobody bothered to look or nobody May me noticed it or whatever so just again it's that inquisitiveness that makes the difference so my bold statements the password is dead long live the get on so passwords hard to remember you lose them you forget them they get reused password bols help but aren't the real solution for

everything and again you got to think about what your threat mod is and they're often open to duns and whatever and and and my security posture is different from that of my M she's happing to write down her Facebook password on piece of paper next to her laptop that's right for me for my uh my Gmail account my AWS grot access accounts uh my Apple accounts all of those kind of high profile things for me I I want to take it to to so second factors help when we you know those time based codes or counter based codes that we've seen or SNS um textt messages being sent to you um you know they they help but they can still

fall fou of of people Eaves dropping and fishing I wanted to sign into my bank for something but I was in Europe and the code didn't come through and you know so it's just not perfect um so this is where this Universal second factor2 wew stuff kind of comes in and and and offers a better way of of authenticating with services so it's really as with all things Computing there's lots of acronyms being thrown around and organization names and again apologies you can't really see something thing but it's a it's a joint effort between the Fino Alliance and the worldwide Web Consortium and there's a browser component and a client kind of authenticated protocol to p and essentially what these tools do

is is uh using uh kind of public private key cryptography uh tie uh a public private key pair to a domain name and a secure mechanism through the browser which means that these things are fishing resistant you can't be you can't put these challenges onto a wrong domain so if you've got like my login. food.com you can't have this pretend website stupidly long URL it only you know bound to The Domain that these logons are tied to um however all of that is a real mouseful right if I speak to my mom again I can't say mom have you set up your 502 wewm credential and she'd be like what the hell me you want to cook a

tea right she just won't care right so that's why we have a more human name for these things there that's which is a a more human name and I think a real good step because you can talk about Pas in in a in a much more senseful sensible way um and this some of this is maybe slightly off but I I thought i' just leave it as it was some of the the the terminology that's used kind of gets a little bit funky but essentially you can have um on one end of the spectrum a pass key that's tied to an individual single device that it will not leave you um so for some of my

really high secure accounts that's what I do I've got this a pass key for certain logins that is tied to a physical key and then I have backups backup keys Associated but it's basically unless you have this device you are not getting into my root token my root a Amazon account and you know what if you did get to my root Amazon account maybe you could turn off that 2 cent a month thing that's charging me two cents a month and has been for the last four years that gone find um you might be able to give me a favor the the other variant of them is this uh Multi-Device credential which allows syncing behind the scenes across your

device in an ecosystem that you're that you're in so I you know typically I'm in the Mac ecosystem an iOS ecosystem so I can create Pass key on my Mac or on my phone and then that through the iCloud key sharing that will be available on bu with the devices so that's still for me a a a leg up compared to passwords and some other things but it's it's maybe one kind of leg down from just actually having to bound to a single device uh but it's a hell of a lot more convenient um so I was going to do a a Dem I guess is there a USBC on this I've only got USB I wonder if I prepared and brought a

USB 4 key no I don't think I did okay well I was going to do a demo I can show you on my phone uh in a little bit or on my Mac um uh about what it's like to create p uh and and what the user experiences uh because it is very very fluid U on the demo site I was going to show you uh you go in you say set a username and press uh the button on the authenticator and you can also require a pin op so for my account I require a pin so I have to put in my pin which is a short six to 24 character C whatever it is um that loocks the key

and allow and and if three failed unlocks locks K and then you have to go through a can of recovery process um so it's very uh trivial you you put in username click register click on your Authenticator and it creates everything behind the scenes and you're logged in and then when you log out you all you have to do is uh put your key in and it will say hey I've got Pass key for this website you want to use it if so touch your authenticator if you have to unlock the lock it but it's it's very smooth it's very easy um so it's really good so that was the site I was going to

demo just Pass key.org and Pass keys are should be available now in most ecosystems so cly on the the Apple ecosystem I believe it's on the latest Android uh devices subject to what kind OS version you're running and so yeah just pass key.org try out your personal advice and see how it feels um however not all is golden in this world um at the moment if I've got everything in my Apple ecosystem and all of my Cas Keys it's it it's painful to move them to another EOS if I wanted to go for Android uh that would be painful I have to re-register a bunch of keys maybe the sites go hey you've already registered this key I'm not going to let

you register it again so I don't want to have to buy new keys I don't want have to delete tokens Keys um so there is a new spec coming that will allow the migration of these uh credentials from one ecosystem to the other uh but it's still relatively new and and companies are doing gumb [ __ ] including some of the leaders who are pushing this like apple who um it looks like they released iOS 18.1 and Mac OS 151 uh and it looks like you mikin with a pin set end up into this kind of authentication Loop asking for the for the pin uh so it amazes me that features like that are released in point versions that

screw things up so you know there's still a little bit right now kind be careful um the software that runs on these or the things that run on these are is is the firmware on these is is not changeable So when you buy it that's what the features that it has and you're not going to be able to upgrade it or change it um so the newer ones with vered firmware 5.7 allow 100 passp on them versus 25 on on the the older versions uh so yeah you buy one check that is the latest for my version and that genuine side will help you help check back um so I the password is dying it's

not dead yet I hope we move away from passwords um so yeah I would say now the password is dying and long live the P key it makes everybody's life easier uh makes my life easier uh with improved security yeah it's just I I I like I we should REM more things too okay so now kind of flipping onto the developer side of things and I was going to do a live demo but you know see me when I'm around if you want to work through it in a in a shell session so it's uh it's useful um so yeah I I off code for the living uh I authored some code that has gone

into uh some government projects uh a little bit uh some government projects that were a little contentious like the co alert app by submitting some fixes and things to uh and there is scope in government work uh you know for naughty people to want to do naughty things and I think it's important that we demonstrate as authors of the code the uh the uh authenticity of the patches and things that we're that we're submitting so there's nothing to say that you can't just sign your your G commits with the gpg key you've got on your machine you know to step up on that ladder of of security um but you know there have been cases of people's

machines have been popped and and people are like just waiting in the wings ready to add an extra file to your git stash or your commit log that you haven't really paid attention to so that when you do authenticate uh or they will or or they will commit it and and use that keyless there just there's maybe some cash credential somewhere um so what I've done and what I prefer to do is have this physical U key and use the open pgp app on here and move keys to it so that's what we're GNA kind so again just some I when I WR this I was just playing with chat gbt you know why might we do this again it's

that kind of authenticity piece that we we're trying to say we want to have this CER bre um what we won't want to do it you know it's complicated right but people Developers don't want to do it it gets in the way of things if you have to rebase something you've got to then well because you've signed each commit if can now rewrite in the G history you got to resign all of those and just a mess right it's painful uh so again as as with all things security is this trailer um so here's what you know uh something I was working on uh it was a supposed to be like a government an official government URL shortener didn't

really go anywhere um but like in G it shows hey this is a verified commit right so there is some visual thing there but you can also of course in your get history you all the code and you all the the signatures and what have and you know again for another talk I was doing it's like yeah who knows you know there's just you know who's to say that PM hasn't committed code and and written code and unless he's actually got some kind of authenticity some gbg or something else assigned to his identity we don't know if he's written po or not right so I I feel the certain types of things it's important to have

this kind of signature uh I'm assuming most of you are familiar with gpg slop gpg um it's a replacement an open source replacement for critical privacy uh supports uh hybrid encryption uh symmetric public key PR key available on all good platforms uh works on a kind of web trust model uh so if you have a g g ke so Heather and I I know and and I could maybe verif since I work with her I could maybe look at driver's license and check y actually she is Heather and that's actually her name she isn't called Susan or something and her nickname is head I I can talk to her and then verify her identity and we can sign

each other's uh keys and through that there been is this we trust in theory that has built uh so if I come across some commits from somebody uh that I that I don't know there's maybe some kind of web of trust or a line through that mess uh to the other person I can have a greater sense of uh understanding their identity um as a little interestinger side git itself can use other mechanism doesn't have to be based on gpg but it can use x59 SES to to uh for your kind of code sign as well maybe of interest to larger organizations um so to generate a GG ke you can do it on the device itself then

you list the risk of losing it um and you can prove that the key was generated through some testation um but if you lose it t [ __ ] uh so generally what I prer to do is uh generate keys in a secure environment uh and then import them onto the key what I was going to show uh for that I typically use Tails which is a kind of Emeral boot environment again on this kind of list of you know using your machine that's connected to the internet versus using machine that hasn't seen the internet doesn't know what the internet is and it's away from everything pick your poison on that list of of things I think

Tails works for me uh and I just have an xx6 machine I boot and I keep all of my private key material on that tailes and ST which I keep in my house um so yeah you're going to have to break into my house if you want my problem um please uh so I was going to walk through creating these Keys um and uh transferring them uh in onto the the key here um and I can happy do that side with some people if you're really interested happy to show you what that process looks like um that guy is really good uh if you want to refer to it um and essentially what you do is generate the master key

uh the certifi key which you then generate sub keys on and then uh you transfer sub keys to the UB key and then on your regular workstation uh there is no private key material on the workstation because all the keys are on here which in theory they can't be extracted so from um uh that certified key is then offline so you know when you get an opportunity to look at this screenshot uh that isn't show what I was about to say so you won't see that you um again there's additional challenges then you have to do if you Happ to be working on a cloud machine you know you can't plug this into the Big E Machine

you got in cloud or UB so you can actually do engine forwarding between multiple shs so was working on a remote VM to do some stuff I needed to commit some code from there you can make all of that work uh so you know you don't limit so um so if you're looking to deploy these as part of a large organization it's painful um it's there's lots of documentation out there it's all over the place uh actually not you do a really good job at writing everything then but it's definitely teal again my mom's not going to do so as an organization that's looking to kind of put these out uh you're going to have

some challenges just in the management of issuing uh these there's also some changes to some of the protocols in the newer versions so if you want to set a pin that you know upon first use the user is forced to change for their own pin those are in in uh that c protocol 2.1 um but basically just are paying to manage all of the service and C signing if somebody new joins your organization you want to sign their keys so that they are demonstrated part of your organization lose things they leave it's just um however if you have a sufficiently large order UB code can do customizations of the the one session if you've got a Fortune 500 and you're ship

you know you're issuing thousands of these devices there are methods to make that a little um and then this was just a little aside on you know doing similar kind of ideas for actually code signing the executables or product that we generate um so why but of course typical OS is liit a user's ability to run untrusted code uh for whatever that means um so certainly on Mac you know there's gatekeeper there's the you know apps Shiite the App Store are still signed using developer uh uh servs they issue um you know there have been supply chain attacks where people have you know code that people are running just been signed or missigned um and and lots of small

developers don't think about Key Management right unless you've lost your keys you don't think about it paying um so like there's lots of iOS and other developers who lose their private key because they buy new machine and not think it's necessarily toping across from um as I said a lot this was up Max specific um there's a whole bunch of tech notes there from Quinn uh who is an absolute star within the Apple developer EOS system um if I could be a 10th as uh good uh as as them in terms of my ability to write clear technical documentation I happy um so that kind of shows you how code signing works on the app uh and that's possible then to uh

essentially using the PIV module on this ke loading the keys and the the certificates so much like our G permits you require a touch on this to to sign your youre um so I think that kind of yeah and and basically more guys for so um I've kind of gone a little bit longer I know I've skipped over a whole bunch there's probably some questions um I was going to do that live demo uh but unfortunately you know we'll have to sit around the table as the break starts if you wish to do that um but with that that kind of covers the bits that I wanted to talk about um the closing things would be by

hardware token inste cheaper than your and your users being right so 100 bucks each um well worth the investment I think so yeah any questions so I'm assuming in a in a larger environment where you have example a established cic pipeline you have multiple developers that are that are doing digits during that pipeline would that be a complicated environment

yes as opposed to like individual developer like yourself who's running your own you've got your own your own fits and on your own yeah I I think it's manageable um as you lot of things is education and um the hard part I find at the moment is setting up the the hardware token the the right way what that want so I think it possible to uh if it is an important thing for you that have somebody who knows this stuff at the back of their hand issue with a key out and and talk somebody through it because the dayto day once you've actually gone through the process of getting everything all the secreterial on you is actually not too bad plug it

in I do my G commit and it says please insert key with a particular serial number enter your PIN then touch the button so the dayto day doing it isn't too bad um UB ubo do an HSM kind of version of this so for your CI machines uh you could uh use that that one which may store you know many ERS sh more bits of private material and you can set the touch policies on so uh for me as an individual developer I say I want to touch this for every single sign commit that I do uh you could say Okay I want a CI machine that's locked in the cabinet and okay well I'm pretty sure that you

know somebody's not going to have access to that it's air gap to some degree you know it's in a cage you could have a touch policy that allows you to be cash for a certain period of time I don't know if that answers your question so there's there kind again where on that be usefulness know you know do your Comm to get for that especially I have I have some critical structure clients that you know are restrict by the government stuff like that it's very Val yeah yeah so it it it it's certainly doable I think there's a a spectrum there and and for those clients well maybe it's not necessarily even the individual commits might be but you know

in other environments I've worked in it's about that that final executable is being shipped to customers and you've got small team and maybe it's one day it's Fred releasing software next week it's Jane releasing the software he users confused signed by different people you know I think there's value in packaging all that code signing for the store for the and having that managed well in a proper environment is I think very beneficial I think Corsair I think they got themselves in some trouble don't quote me on that that's just like this weird thing I've got my head uh I thought I saw B there certainly been other banders that have not managed their private material well and have

fallen yeah so have to talk further afterward yep um so are checks regarding autic building in plat account specific parts of the C pel have right their own to make sure that me that are not sign and not allowed yeah so you can certainly in the tooling around git like say GitHub and things you can say I only want verify commits on this branch and it will it will stop those kind of things happening um but that isn't necessarily toing of get itself um so I don't know if I fully answered your question um it's a l part here I'm happy to have a further discussion with you but yeah you can you can limit through

commit books what type of things that you are accepting into your hopefully that count anybody else I got questions we talk about P piece but my observation I've seen some of the platforms just give us a single authentication through pth piece you get are we still focusing on MFA for like multiple factors or we just like if if are we like doing more of quality or quantity approach uh I well couple of things there maybe that need to be picked apart um certainly some again when when sites allow the use taskings they can do various things in the configuration when you're set them up they can allow something only want pass keys from this manufacturer of hard or that meets this

particular security require um and in your example the pass key with a p set on it is two Factor authentication right because it's you know it's something I have something I know I've my pin and I'm physically touching bu so you are getting those multiple factors already in um so you know I think they are Ben as one have to remember that I don't care about passwords I do not want to remember passwords I have a pin that's relatively secure if the pin is wrong three times that is host nobody can use it um so then I'm going to have to go and find that my Tails install like if my daughter came along and Bash on the keyboard that's you know

s invol is want to do as well as dribbling onto the keyboard um you know I'm going to have to fire my Tails install get my keys bu the pen lood it's a p so I don't know if I answer your question I went a bit Yeah another question was a there was a cool T that I missed about was uh that he had the pleasure of meeting team jobs as part of the team Dem product can you like tell what thect was you uh no nothing to do with this so I have yes so we were asked to submit some interesting tibits of information um so uh I worked on some of the earliest iOS software

that was done by people external to app uh so I worked on the super multi demo uh that was as part of the iPhone software development launch back in 2007 2008 um and we uh went for a two-hour meeting to uh gtino to say what games developers once in a uh in a software development kit and with hindsight there was a few ning winks and looks and then we were basically locked up for about four weeks and uh help hostage Happ but we did get to me St and help launch a multibillion dollar system us um and an even further interesting tipit on super mon itself actually started live as a iPod Touch game on the we with click and

even interesting it was actually a p Nintendo dsco uh and if you want to play that uh you can play it now via touch.org and open source uh reimplementation of old iPhone software iOS one all right it's lunchtime uh I'll stick around for anybody who wants to uh look at Terminal uh and I'm happy to answer any other questions about your specific use cases uh so thank you po was interesting you can't