Towards Zero Trust: Meet The YubiKey
Towards Zero Trust: Meet The YubiKey
In cybersecurity, we started with blacklists for applications and services, but that has not scaled well, and so we now often focus on whitelisting — and where we define what’s allowed and then block everything else. But, if we take the whitelisting concept to its ultimate focus, we end up with Zero Trust infrastructures.
Within many systems, we often have a simple concept of trust: untrusted (public), semi-trusted (DMZ) and trusted (private). But the main flaw with this is that an insider or an adversary can often place themselves in the trusted part of the network infrastructure, and so we can’t just trust entities based on where they are in the network and their levels of access.
And so we move towards zero trust infrastructures, and where no user, no device or no service is trusted at all, and where each must prove themselves and only be granted access to the minimal level of rights. Like it or not, this is the end game for Cybersecurity. Along with this, the usage of passwords is becoming untenable, especially as they provide hurdles for user access, and often do not provide a barrier to users falling for spear phishing. A vast improvement is to move towards the world of MFA (Multifactor Authentication) and 2FA (Two-factor authentication). With these, the user will be faced with additional proof of their device or themselves, with biometrics, a software token or other methods.
FIDO2
FIDO2 provides a standardized approach to MFA (Multi-factor Authentication) and 2FA (Two-factor Authentication) and is supported by the FIDO Alliance and the W3C. It is now supported by most Web browsers and aims at creating a passwordless authentication method. In a study by Lyastani et al. [1], it was found that many users find it acceptable to replace passwords with a security key for authentication. But there are still worries about the usage of the technology, especially in losing the authenticator and in being locked out of accounts. But, these concerns can easily be overcome with easy setups and fall-back procedures.
FIDO supports the standardization of second-factor authentication and an integration framework, along with client authenticators. This specification is known as FIDO2. Each of the methods uses public-key encryption in order to defend against threats such as phishing and credential harvesting. Overall, FIDO2 is passwordless and allows one or more client authentication methods, including embedded ones (biometrics and PIN codes) and external ones (FIDO security keys, wearable devices, and mobile phones), as illustrated in Figure 1.
The integration includes:
- W3C WebAuthn. This integrates into compatible browsers.
- CTAP2. This allows for the integration into smartphones using USB, NFC and BLE connections into browsers.
- CTAP1 (previously named U2F — Universal Second Factor). This allows integration with security keys and wearables using USB, NFC and BLE connections into browsers. An example of this is shown in Figure 2.
YubiKey
One of the widely used FIDO2 devices for authentication is the YubiKey. Reynolds et al. [2] reported on the usage of the YubiKey for Universal 2nd Factor (U2F) security, where users must press a button on a YubiKey to authenticate themselves. For this, they set up the login to Microsoft Windows, Google and Facebook accounts but revealed problems with the usage of the devices, including lock-outs. These problems are often related to the basic setup of the device. Within a second study, the researchers found that users generally enjoyed using the YubiKey for daily tasks and provided advice on improving the setup process. For Arcana, there are generally two ways that their product could use FIDO2 devices. The first is to authenticate the device to a service, and the second is to use the device to encrypt the user’s key.
Signing data
Within digital signing, a server (or service) can generate a data challenge and then get the YubiKey to create a digital signature using the private key stored on the device. This signature can then be proven with a public key and is illustrated in Figure 1. In this way, the server can store the public key of the device, and then match this to a user, when the user want to log into the system, they will need to provide a valid signature that matches their public key.
Encrypting data
Along with the YubiKey signing for data with its private key, it is also possible to use it as a method to encrypt and decrypt data. As shown in Figure 2, we can generate a key pair and then upload the private key onto the YubiKey. This can then be linked to an encryption process. In this case, it is linked to the GPG process, and where we can sign email messages with Bob’s private key, and which will then be proven with Bob’s public key. Along with this, we can decrypt ciphered email using the device, and which involves using the private key to decrypt the message.
Conclusions
If your company is not moving towards zero trust, ask why not?
Read more here:
References
[1] Lyastani, S. G., Schilling, M., Neumayr, M., Backes, M., & Bugiel, S. (2020, May). Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In IEEE Symposium on Security and Privacy (pp. 268–285).
[2] Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., & Seamons, K. (2018, May). A tale of two studies: The best and worst of yubikey usability. In 2018 IEEE Symposium on Security and Privacy (SP) (pp. 872–888). IEEE.