I want to get your opinions on something I have been working on for the last few days.
This is basically an Arduino-compatible “LeoStick” with a couple of switches soldered onto it.
The intention was to produce something that works similarly to a YubiKey.
These are small devices (about the same size as a USB stick) which plugs into your USB port. When you need to authenticate yourself to a supporting web site you press the capacitive button and it spits out a one-time password (by emulating a keyboard).
The first 12 characters are fixed (this is your “public” ID) and the rest are an AES-encrypted 128-bit block. The funny letters are because of a scheme for encoding that lets it be used on keyboards around the world without change (the USB keyboard interface sends scan codes, not ASCII codes). Think of it as hex with a one-to-one mapping between each letter and the characters 0-9 and A-F. For example, 0x0 is “c” and 0xF is “v”, and the other digits fall in-between.
The security lies in the fact that most of it is encrypted (the server works out which decryption key to use based on the public part). Also the message includes a counter which increments every time it is pressed, so the server knows to never accept the same counter twice (or indeed, any counter lower than or equal to the last valid one).
In my implementation the AES key, plus the private and public identifiers which comprise the protocol, are stored in EEPROM of the Atmega32U4. The counter is also stored in EEPROM, so the device can remember what counter it used last, without needing any sort of battery or clock.
One button causes a one-time password to be output to the keyboard, the other button enters configuration mode via a USB port where you can type in the keys, user ID, etc.
There is a tri-colour LED which can be used to indicate statuses, etc.
This all works pretty well, and I am very happy to document how it was done (basically, that just involves posting the source).
Now to the question …
I am a bit concerned about the legality of this after reading the Yubico had applied for patents on their device. It sounds like they are selling thousands of these gadgets (they are about $US 25 each), so they might want to protect their business interests.
- The source is publicly provided as open source (see COPYING.txt attached)
- The source and specifications are all made publicly available via GitHub and their web site
- I have not attempted to reverse engineer the actual hardware, in fact I don’t possess one, nor have I ever seen one (apart from pictures of it)
- The LeoStick (which sells for $US 29.95) is actually more expensive than the YubiKey, so you would hardly buy them to save money
- Even if you did make one out of a LeoStick it wouldn’t be as nicely packaged
- It seems to me that Yubico is doing a lot of business providing validation web servers, programming stations, etc., and if I published the source to my version this would not threaten any of that
I just thought it would be an interesting exercise to show how they work, and if you were really keen, you could make one up yourself (eg. by using a Leonardo, or a Arduino Micro).
In my case I was thinking of adding an extra level of authentication to my own forum (principally for me) so that if I happen to be on holidays somewhere, I don’t have to worry about keyloggers capturing my forum password.
What do you think? Should it be safe to publish the source? It is after all, my own work, but calling functions in their open-source library in places.
COPYING.txt (1.29 KB)