What can you do with a Yubikey Neo
This is the best overview I have seen. If only marketing people would write things like this. As it is, I only found it buried deep in a user forum.
---
Think of the slot configs and the smart card applet space as two completely orthogonal functions crammed into one tiny piece of hardware.
Before the NEO, you had your standard Yubikey that could transmit slot 1 or slot 2 via USB triggered by the appropriate keypress.
If you wanted to manage PGP keys for signing and encryption, or if you had some RSA style authentication mechanism that you wanted to use, you would purchase a smart card device that could be carried around and inserted into the port on a computer when it was needed. Windows would have the drivers to support said smart card device.
Now, let's jump back to the NEO. Out of the box (bag), the NEO's smart card capabilities are completely dormant. When you insert the device into a USB port, the computer *only* sees it as a keyboard device, and only the slot 1 and 2 configuration data is available.
But, when you run the ykpersonalize app and set the mode to 82, that activates the smart card functionality. The next time you insert the Yubikey into the USB port, Windows will see the USB keyboard, but it will also see a smart card and start loading the driver for that. Similar to how it would react if you had an original Yubikey and a USB compatible Smart Card device plugged into a USB hub and then you plugged the hub into your computer.
When you touch the contact on the Yubikey, that causes the Yubikey to use the Slot 1 or 2 configuration to output keystrokes. However, if you have an application that uses the smart card API to interact with the Yubikey, it can run whatever applets are installed in the Yubikey and those applets can use the data that is associated with them. It is important to realize though, it is the host system application that drives that interaction. There is nothing the Yubikey can do to initiate a smart card applet transaction when you touch the contact. I suppose that could change one day in the future, but the current Yubikey Personalization Tool doesn't have any options to that effect.
Jumping over to the NFC and Android world now. Android has something called Intents in its event system. When an application wants to be able to handle some particular event such as an SMS being sent or received or a web link being clicked, it registers an intent for that event. When the event happens, Android offers the event up to one or all of the applications that registered intents. (I don't know exactly how it handles multiple apps in this case, but it doesn't really matter for our purposes here.)
I believe if you have no special applications (such as LastPass) installed on an Android device and you touch a yubikey to the NFC target, the event that gets spawned is a URL to the Yubikey website. However, that particular event must have enough information in it that will allow specific applications to register an intent handle the event differently. When you have an app like LastPass installed, it will become an option to handle the event when you hold the Yubikey up to the NFC target. If you have the Yubico Authenticator app installed, it will also register an intent for this event, but it appears it only registers the intent when the app is actively running (i.e. it doesn't pop up as a choice of app to run when you hold the Yubikey up to the NFC target normally).
The Yubico Authenticator does something very different when it interacts with the Yubikey NFC data though. Unfortunately, here is where my explanation breaks down because I haven't read the code and I haven't seen any tech documentation from Yubico on how they do it. But what I infer is that the Authenticator app make a different call through the NFC API to the Yubikey, passing in the current clock time, and asking it to run the Authenticator applet that is installed on the Yubikey. When that applet is run, it uses the clock time and each site key that has been stored in the applet data to generate the 2FA codes that are then returned to the Authenticator app to be displayed on the screen.
http://forum.yubico.com/viewtopic.php?f=26&t=1159&sid=e239193acdbbcd624ee28d2f9ef5530b&start=30#p4751
---
Think of the slot configs and the smart card applet space as two completely orthogonal functions crammed into one tiny piece of hardware.
Before the NEO, you had your standard Yubikey that could transmit slot 1 or slot 2 via USB triggered by the appropriate keypress.
If you wanted to manage PGP keys for signing and encryption, or if you had some RSA style authentication mechanism that you wanted to use, you would purchase a smart card device that could be carried around and inserted into the port on a computer when it was needed. Windows would have the drivers to support said smart card device.
Now, let's jump back to the NEO. Out of the box (bag), the NEO's smart card capabilities are completely dormant. When you insert the device into a USB port, the computer *only* sees it as a keyboard device, and only the slot 1 and 2 configuration data is available.
But, when you run the ykpersonalize app and set the mode to 82, that activates the smart card functionality. The next time you insert the Yubikey into the USB port, Windows will see the USB keyboard, but it will also see a smart card and start loading the driver for that. Similar to how it would react if you had an original Yubikey and a USB compatible Smart Card device plugged into a USB hub and then you plugged the hub into your computer.
When you touch the contact on the Yubikey, that causes the Yubikey to use the Slot 1 or 2 configuration to output keystrokes. However, if you have an application that uses the smart card API to interact with the Yubikey, it can run whatever applets are installed in the Yubikey and those applets can use the data that is associated with them. It is important to realize though, it is the host system application that drives that interaction. There is nothing the Yubikey can do to initiate a smart card applet transaction when you touch the contact. I suppose that could change one day in the future, but the current Yubikey Personalization Tool doesn't have any options to that effect.
Jumping over to the NFC and Android world now. Android has something called Intents in its event system. When an application wants to be able to handle some particular event such as an SMS being sent or received or a web link being clicked, it registers an intent for that event. When the event happens, Android offers the event up to one or all of the applications that registered intents. (I don't know exactly how it handles multiple apps in this case, but it doesn't really matter for our purposes here.)
I believe if you have no special applications (such as LastPass) installed on an Android device and you touch a yubikey to the NFC target, the event that gets spawned is a URL to the Yubikey website. However, that particular event must have enough information in it that will allow specific applications to register an intent handle the event differently. When you have an app like LastPass installed, it will become an option to handle the event when you hold the Yubikey up to the NFC target. If you have the Yubico Authenticator app installed, it will also register an intent for this event, but it appears it only registers the intent when the app is actively running (i.e. it doesn't pop up as a choice of app to run when you hold the Yubikey up to the NFC target normally).
The Yubico Authenticator does something very different when it interacts with the Yubikey NFC data though. Unfortunately, here is where my explanation breaks down because I haven't read the code and I haven't seen any tech documentation from Yubico on how they do it. But what I infer is that the Authenticator app make a different call through the NFC API to the Yubikey, passing in the current clock time, and asking it to run the Authenticator applet that is installed on the Yubikey. When that applet is run, it uses the clock time and each site key that has been stored in the applet data to generate the 2FA codes that are then returned to the Authenticator app to be displayed on the screen.
http://forum.yubico.com/viewtopic.php?f=26&t=1159&sid=e239193acdbbcd624ee28d2f9ef5530b&start=30#p4751
posted by Philip Ngai | 12:14 PM
0 Comments:
Post a Comment
<< Home