Multibit and yubikey

[segeln]

Are there plans for yubikey operating in Multibit for additional security?

[mjb]

Yubikey does not offer additional security in this case. Hardware wallets such as Trezor (http://www.bitcointrezor.com/) will, however, when they become widely available next year.

[5cMXezpBtm]

Why does Yubikey not offer additional security ? Is it not much safer to have an OTP than just a password?

[btchris]

YubiKey does offer additional security for web-based wallets, especially those with per-transaction two-factor checks such as greenaddress.it and bitgo.com. In these cases, two-factor auth offers very effective (but not perfect) protection against malware.

Two-factor tokens typically work by storing a shared key. The website also stores that same shared key. This allows both the token and the website to generate the same authorization codes, which are then simply compared during login (or during each new transaction). As long as nobody else has access to the shared key, it can provide additional security. Two-factor authentication is only to verify the user has the same share key -- two-factor tokens are not used to do any wallet encryption.

With desktop wallets, there is no login process, only an encryption process. Desktop wallets store their private keys inside of files which are encrypted by the user's password. Encryption is not something that two-factor tokens can do. An attacker (or piece of malware) who has access to your PC has direct access to your wallet files. If the wallet files are encrypted, the attacker must either try to brute-force the password, or simply wait for you to type it in. At that point, they can gain access to all of your private keys.

In short, two-factor authentication doesn't add any security to desktop wallets.

(Hardware wallets are much different -- they can do encryption.)

[5cMXezpBtm]

[...] If the wallet files are encrypted, the attacker must [...] simply wait for you to type it in. At that point, they can gain access to all of your private keys.

That's the point of OTP in addition to typing in a static password. The attacker is not able to push the button of Your Yubikey from inside the computer or even plug it to the USB slot at first
The password safe "KeePass" has a YubiKey plugin, to exactly preventing such keylogger attacks. So it seems, that it is possible to protect a local software with OTP. What would be the difference between a online service (which is basically an application running on a webserver) and a local application anyway? The application just needs to forward the OTP to the Yubi server to validate it, as I understand.
Critical is only the restore method for the case that You lose Your Yubikey. For a remote webservice You just need to request the service provider to disable the OTP addition, authenticating You with other methods. For a local application You need a special recovery password or something that You write down on a safe paper.

Honoring the work of the MultiBit devs I know that using and developing for Trezor is a good approach, but it will take some months I think until it will be ready for production use and until then I feel uncomfortable to have my MultiBit wallet just protected by a password and so, vulnerable by keyloggers.

[btchris]

[...] If the wallet files are encrypted, the attacker must [...] simply wait for you to type it in. At that point, they can gain access to all of your private keys.

That's the point of OTP in addition to typing in a static password. The attacker is not able to push the button of Your Yubikey from inside the computer or even plug it to the USB slot at first
The password safe "KeePass" has a YubiKey plugin, to exactly preventing such keylogger attacks. So it seems, that it is possible to protect a local software with OTP. What would be the difference between a online service (which is basically an application running on a webserver) and a local application anyway?

It gets pretty complicated from here... (and there are real experts who know far more than me that would make both our heads spin! )

The wallet that's on your hard drive (or the KeePass file) is encrypted with a something called a "symmetric" key. That just means the the encryption key is the same as the decryption key, and it's always the same until it's changed, typically manually by you.

With KeyPass, you can use your YubiKey in one of two different modes. In "static password" mode, the YubiKey simply remembers one portion of your password. The encryption/decryption key is created by adding the password you remember to the one the YubiKey remembers, and it's always the same (unless you manually change it). If there's malware on your computer, it can wait for both you and the YubiKey to input your passwords, and then the malware has all it needs to decrypt your KeyPass passwords (or your wallet file).

The second mode is called One-Time-Password mode (which sounds good, but keep reading...). This mode is similar to "static password" mode, but it automatically changes the symmetric encryption key each time you log in. This means that if a piece of malware captures the full password (both the one you type in and the one from the YubiKey which is different each time you log in), and if the malware then tries to use this password, it's probably too late because the symmetric key has already been changed and is no longer valid.

The problem is that there's a simple attack the malware can use to get around this. The malware takes a copy of the encrypted data before you or the YubiKey enter your passwords, and stores it temporarily. The next time you and the YubiKey enter your passwords, the malware records the password. As I said above, at this point the symmetric key for the encrypted data is now automatically changed... but it's only changed for the "legitimate" file. The temporary file which the malware took a copy of doesn't have its key changed -- its password is still the same, it's the one that was captured by the malware. Now the malware has both the decryption key and the older encrypted file that the decryption key will work on.

With a good* online service, the malware never has access to the encrypted data because it's only stored on the server, and so it can't take a temporary copy of it for later decryption.

The bottom line is that while a YubiKey makes things a little more difficult for malware, it's doesn't really help that much for local wallets. Local wallets are only safe if there's no malware present on the system. Good* online wallets on the other hand can have their security improved with a YubiKey (or similar).

* A good/strong online service has Bitcoin keys stored in (at least) two places: partially on your computer and partially on the server. At no time are the keys both stored in the same place. Blockchain.info doesn't fit this description, because there is only one key -- if you're malware infested, this one key can be stolen by malware on your computer. Of course, all online services require a certain trust level on your behalf...

[5cMXezpBtm]

Hm I read the OtpKeyProv plugin Readme (which is only in the Download zip). There is written:

"Security

The more OTPs are required to open the database, the more secure it is. The minimum number is 3 (everything below 3 is completely insecure; the database would be crackable within seconds), the maximum number is 6."

[...]

Recovery mode. If you can't open the database using OTPs anymore (e.g. because the generator token and the database are out of sync), you can alternatively enter the generator token's secret key to open the file. After opening the database, go 'File' -> 'Change Master Key' to synchronize the generator token and the database again.

[...]"

More "One time passwords" after another in a row???

Sounds complicated and not very trustworthy. Additionally, what I dislike, is the fact that there is no download archive for the plugin(s) and no public source code repo like GitHub. It's amateur stuff what I do not trust and the Readme quotes above tell me: Let's look forward to MultiBitHD Trezor Support Can't wait for it... Do not want to use the MyTrezor Online wallet, want to use my own local client.

[AussieHash]

You're confusing what a YubiKey is actually doing with keepass.

When you login to gmail / localbitcoins / etc with 2FA what you are using is a TOTP (Time-Based One-Time Password).  This requires a central server to act as a gatekeeper, and only let you log in to your account if your "google authenticator" TOTP is correct.

With Multibit there is no central authority holding your keys, they're on your hard drive.

keepass' Yubikey plugins, do not support TOTP, only a static password (just a long string) or Challenge Response password (a fixed response to a given input challenge, which could still be sniffed by malware) or a HOTP (HMAC-based One-time Password).  (there is a keepass plugin to calculate TOTP, like google authenticator does, not to login to your keepass database)

The keepass plugin "otpkeyprov" uses a HOTP, which replaces the 30-second timecode with a counter in a separate file, alongside the database file.  The problem with this approach, is the Yubikey Hardware Counter progresses every time the button is pressed.  So if you accidentally press the yubikey 4 times, and your "read ahead buffer" is set at 3, you will not be able to login.  HOTP are also not suitable if you want to keep >1 copies of your database with 1 yubikey as the counter will become out of sync.

This long but brilliant forum post describes OTPs in more detail

Code:

One of the ways to implement it is to use hardware token as 2nd factor. In our case it's YubiKey. YubiKey can work in 4 modes:
Y1 - static password;
Y2 – HOTP (HMAC-based One-time Password);
Y3 – TOTP (Time-Based One-Time Password);
Y4 - HMAC-based challenge-response mode.

The best option to use a Trezor as 2FA device - which is required to sign transactions (something you have), additionally you can enable a PIN (something you know).  The brilliant part of Trezor it is (essentially) impossible for an attacker to extract your hierarchical deterministic seed from Trezor, even with physical access, and it is resistant to brute forcing of the PIN as the time delay between incorrect guesses increases exponentially.

Trezor already supports BitID, whereby you use its signing capability as an authentication token to login.  A sample password database which uses Trezor it is available.

Incidentally, the latest electrum release supports Trezor (Transactions are created and broadcast by electrum, but signed by Trezor)