Applications:Keyed alike Yubikeys
From Yubico
Contents |
Yubikeys with keyed-alike OTP (matching OTP) by Concept Only (JH2009)
At time of sale, offer Yubikeys with matching OTP hence the hardware key-lock term Keyed-alike.
Note: I'll refer to Keyed-A-Like Yubikeys as Yubikals.
Keyed-alike allows one Yubikey for usage, and one for the spouse/manager/shipping dept/one for the safety deposit-box/etc... Similar to using a bank card at ATM on joint account, the printed card number is identical. Only the bank knows the difference and the signatures on the back.
Common Usage
Yubikals would be desirable where-ever pairs of matching keys are required.
ie: Within businesses environment: Standalone "Dumb" cash registers, or when a master-key is given to managers for "over-rides" etc... When your not there (Business and Home): for when the courier (UPS) person drops off a package and asks for the (matching) Yubikey (that placed the order). Between spouses: call and ask the spouse to pickup an order (nearer them), which you placed online using Yubikey to verify...
Reference
Backup Yubikeys is a separate concept:
http://wiki.yubico.com/wiki/index.php/Applications:A_Backup_Yubikey
Yubikey Technical Information is found here:
http://wiki.yubico.com/wiki/index.php/Yubikey
Technical How To: Parallel Usage ID
I'm suggesting that Yubico adopt a Parallel Usage ID to implement this capability.
A Parallel Usage ID could be set to any value 1, 2, 3, 4... and used to identify each individual key while keeping the remaining Public & Secret ID's [1] the same.
Only Yubico would use the Parallel Usage ID, to identify & validate each Yubikal separately.
Parallel Usage ID's could look like some of the existing pseudo-random values and would be ignored by everyone else.
For added security the Parallel Usage ID could have a hex counter that increments and after a set value it then rolls over.
ie) set to roll at 16/FF, increments by 2's: Key1=13579ACE, Key2=24680BDF ie) set to roll at 16/FF, increments by 4's: Key1=159C, Key2=260D, Key3=37AE, Key4=48BF
A counter that rotates by 8s, 16s, 32s, or 64s up to a higher value like 256 then rolls back to 1 would be a better.
(Obviously a counter with a set static value would not be as desirable security-wise, but it may boil down to costs.)
3 methods on how to utilize the Parallel Usage ID within the Yubikeys:
Since only Yubico would know which Public & Secret IDs are keyed-alike they could look for the Parallel Usage ID only on those keys.
1) Yubico looks up the Parallel Usage ID only for known Yubikals:
- Having it's value look like part of the pseudo random number section. (overwrites a particular pseudo number)
- Regular Yubikeys would not have a Parallel Usage ID, and any extra-expense would remain with Yubikals.
(Which means Yubico just filters for known Yubikals (based on Private and Secret IDs) then looks up the disguised Parallel Usage ID.)
2) Yubico looks up the Parallel Usage ID in all Yubikeys:
- Regular Yubikeys have their Parallel Usage ID set to some random value.
- But Yubico saves that random value info, and uses it as a third ID check; Private ID, Secret ID, & Parallel Usage ID.
(Method #2 could be strengthened by having Regular Yubikeys use a random starting value, which increments too.)
3) Yubico looks up the Parallel Usage ID in all Yubikeys:
- Set to 0 for regular Yubikeys.
(Method #3 is weakest, because of the static value, and theres no check to see if it sold as a Yubikal or not?)
(Please note that I'm presenting 3 ways for the Parallel Usage ID Counter without knowing (or access to) the detailed engineering hardware limitations.)
Physical Identification
I'd suggest that Yubikals have matching letter/serial marked/burned/melted/laser-cut (to visually identify matching sets) at time of purchase.
Something as simple as a random 4 character "serial"-like number should suffice, and be unlikely that an individual customer will get repeat "serials".
Except as physical identification, the random "serial" is meaningless and may repeat many times throughout production.
I'm also suggesting that Yubikals would be available (only at time of sale) in more then just pairs, but also in multiples. (pairs, triplets, quads, quints, etc...)
An example of purchasing options when buying 4 Yubikeys: 4 Yubikeys (no Yubikals) 2 Yubikeys, and 1 pair of Yubikals (#abcd) 2 pairs of Yubikals (#abcd, #efgh) 1 Yubikey and 1 triple Yubikals (#abcd) 1 quad of Yubikals (#abcd)
Note: the use of (#abcd) is my attempt to clearly show the number of matching OTP Yubikals and their corresponding (physically marked) random serials.
Clarification example: Buying 10 Yubikeys could allow 5 pairs of Yubikals (#abcd, #efgh, #ijkl, #mnop, #qrst) Buying 10 Yubikeys could allow 1 denary of Yubikals (#abcd), that means 10 Yubikeys all with the same matching OTP. etc...
Your Vote will let Yubico know if keyed-alike OTP Yubikeys (alias: Yubikals) is desirable.
History/Info-Update
I just wanted to inform people who may not be aware, of the history behind the Yubikey.
This Wiki page describes 1 of 2 "backup" solutions with the other entitled "A Backup Yubikey".
http://wiki.yubico.com/wiki/index.php/Applications:A_Backup_Yubikey
Both articles were written when version 1 of the Yubikey was written.
Both provide a relatively different solutions to the same problem, based on what the hardware could do back then.
I have since resolved my backup issues with version 2.2 Yubikeys and the "Yubikey Configuration Utility" version 2.2.0
With them I created the same static password in slot 1, and generated different OTPs in slot 2, & registered that OTP info with Yubico servers, for several Yubikeys.
This lets me use one Lastpass account with several Yubikeys. (Lastpass allows up to 5 Yubikey OTPs with a paid subscription).
Please visit the Yubico Forum for more up to date info on how to accomplish what I've described above. http://forum.yubico.com/
