Bitcoin Forum
December 10, 2016, 11:09:05 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: How can blockchain.info use the MtGox yubikey?  (Read 4088 times)
Ferroh
Full Member
***
Offline Offline

Activity: 141



View Profile WWW
February 17, 2012, 03:29:35 PM
 #1

https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481368145
Hero Member
*
Offline Offline

Posts: 1481368145

View Profile Personal Message (Offline)

Ignore
1481368145
Reply with quote  #2

1481368145
Report to moderator
1481368145
Hero Member
*
Offline Offline

Posts: 1481368145

View Profile Personal Message (Offline)

Ignore
1481368145
Reply with quote  #2

1481368145
Report to moderator
schnell
Sr. Member
****
Offline Offline

Activity: 266


View Profile
February 17, 2012, 03:38:51 PM
 #2

I know the mtgox yubis are different, but they must have support in the api.
Not that I would ever use mtgox.
Lord F(r)og
Donator
Sr. Member
*
Offline Offline

Activity: 477



View Profile
February 17, 2012, 04:11:41 PM
 #3

maybe they work together with mtgox? with your auth at yubi activation you verfi some sort of public key? would be interesting if so

if totally erroneous: please, not in the face
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
February 17, 2012, 06:02:11 PM
 #4

https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.)

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
notme
Legendary
*
Offline Offline

Activity: 1540


View Profile
February 17, 2012, 06:16:03 PM
 #5

https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.)

Not without your password.

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
February 17, 2012, 06:39:52 PM
 #6

We only check the yubikey public identifier. You get 16 bytes of extra entropy added to your password, but not full OTP validation.

Line 1316: https://github.com/zootreeves/blockchain.info/blob/master/WalletServlet.java

Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account.

This is absolutely not true.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
June 28, 2012, 12:44:27 AM
 #7

YOu would definitely be giving the operator of any keylogger on your machine access to your MtGox account, as instead of having a one time password that's "in the air" for only a fraction of a second while you watch and confirm it gets consumed, you would be giving him a one time password that he can use at his own leisure and out of your sight.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1375


View Profile
June 29, 2012, 06:52:04 PM
 #8

Unless blockchain.info has some way to "burn" the key usage with MtGox, right? Do you? I actually just came to the forums after looking at the options to ask the exact same question as the OP. This might not be a good option to keep active, piuk, though I do think it's pretty ingenuitive of a process.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
June 30, 2012, 11:05:09 AM
 #9

Has anyone tested this? Login with an Mt.Gox Yubikey at blockchain then re-use the same OTP again at Mt.Gox. If Mt.Gox use the yubico server it may well be invalidated.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
July 01, 2012, 03:58:14 AM
 #10

My understanding from discussing with them is that they don't use the Yubico server.  Rather, they use a feature of the key (documented in its manual) that allows you to replace the AES keys with your own.  Once that's done, the key can only be used with whatever knows the AES keys you put in.

The key has two memory slots: one for pressing the button briefly, and one for holding it down for several seconds.

MtGox programs slot #1 with one key that is used for logging in.  They have this slot programmed to press Enter after spitting out the encrypted string.

MtGox programs slot #2 with a different key for withdraw.  This one does not press Enter.  Presumably these are options that are set by MtGox at the time they set up the key.

Because MtGox issues the keys themselves and clearly indicate they cannot be used with Yubico, it's a pretty sure bet that they are reprogramming it themselves and not using a Yubico service.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1375


View Profile
July 01, 2012, 05:35:31 AM
 #11

I just tested it, it worked. Two keys were used, and then I subsequently went to MtGox and used them to log in.

Understandably, however, there are a number of caveats to this. First, someone has to have a keylogger on your system, and if they have a keylogger, they probably don't have to do much more to get access to your local wallet than wait for you to use it. Additionally, they could use your already established connection to MtGox to steal coin that way as well.

But I am still a little worried that people using their MtGox Yubikeys here might not understand that they are taking *some* risk, even if it isn't a HUGE one. Google Authenticator is working fine for me, so I intend to keep using that.

EDIT: Like piuk says, you are not sending anything to blockchain.info by using this. The only threat is a local one.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
August 06, 2012, 01:18:16 PM
 #12

Bugger. I was hoping that MagicalTux had actually given them access to his validation server, but this is less than ideal.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
matthewh3
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
October 27, 2012, 03:13:43 PM
 #13

Does this key-logger threat still apply to standard Yubikeys on this wallet service?  Also can you use the standard Yubikey safely on more than one wallet or on other websites?

Edit:  And does using a Yubikey protect your wallet backups stored online?

niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
October 27, 2012, 03:36:42 PM
 #14

Using MtGox yubi anywhere but on MtGox login page generates OTPs that MtGox hasn't seen yet. Anyone with a keylogger runni g on your machine can reuse any of these OTPs on MtGox. Anything that was generated after your last legitimate login to MtGox will work for the next login.
Therefore, do not use your MtGox yubi anywhere else (including playing in Notepad), unless that other party has some kind of official deal with MtGox to burn OTPs after use (to increase the counter).

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!