Author

Topic: How can blockchain.info use the MtGox yubikey? (Read 4403 times)

hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
October 27, 2012, 10:36:42 AM
#14
Using MtGox yubi anywhere but on MtGox login page generates OTPs that MtGox hasn't seen yet. Anyone with a keylogger runni g on your machine can reuse any of these OTPs on MtGox. Anything that was generated after your last legitimate login to MtGox will work for the next login.
Therefore, do not use your MtGox yubi anywhere else (including playing in Notepad), unless that other party has some kind of official deal with MtGox to burn OTPs after use (to increase the counter).
legendary
Activity: 1372
Merit: 1003
Does this key-logger threat still apply to standard Yubikeys on this wallet service?  Also can you use the standard Yubikey safely on more than one wallet or on other websites?

Edit:  And does using a Yubikey protect your wallet backups stored online?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Bugger. I was hoping that MagicalTux had actually given them access to his validation server, but this is less than ideal.
donator
Activity: 1419
Merit: 1015
I just tested it, it worked. Two keys were used, and then I subsequently went to MtGox and used them to log in.

Understandably, however, there are a number of caveats to this. First, someone has to have a keylogger on your system, and if they have a keylogger, they probably don't have to do much more to get access to your local wallet than wait for you to use it. Additionally, they could use your already established connection to MtGox to steal coin that way as well.

But I am still a little worried that people using their MtGox Yubikeys here might not understand that they are taking *some* risk, even if it isn't a HUGE one. Google Authenticator is working fine for me, so I intend to keep using that.

EDIT: Like piuk says, you are not sending anything to blockchain.info by using this. The only threat is a local one.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
My understanding from discussing with them is that they don't use the Yubico server.  Rather, they use a feature of the key (documented in its manual) that allows you to replace the AES keys with your own.  Once that's done, the key can only be used with whatever knows the AES keys you put in.

The key has two memory slots: one for pressing the button briefly, and one for holding it down for several seconds.

MtGox programs slot #1 with one key that is used for logging in.  They have this slot programmed to press Enter after spitting out the encrypted string.

MtGox programs slot #2 with a different key for withdraw.  This one does not press Enter.  Presumably these are options that are set by MtGox at the time they set up the key.

Because MtGox issues the keys themselves and clearly indicate they cannot be used with Yubico, it's a pretty sure bet that they are reprogramming it themselves and not using a Yubico service.
hero member
Activity: 910
Merit: 1005
Has anyone tested this? Login with an Mt.Gox Yubikey at blockchain then re-use the same OTP again at Mt.Gox. If Mt.Gox use the yubico server it may well be invalidated.
donator
Activity: 1419
Merit: 1015
Unless blockchain.info has some way to "burn" the key usage with MtGox, right? Do you? I actually just came to the forums after looking at the options to ask the exact same question as the OP. This might not be a good option to keep active, piuk, though I do think it's pretty ingenuitive of a process.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
YOu would definitely be giving the operator of any keylogger on your machine access to your MtGox account, as instead of having a one time password that's "in the air" for only a fraction of a second while you watch and confirm it gets consumed, you would be giving him a one time password that he can use at his own leisure and out of your sight.
hero member
Activity: 910
Merit: 1005
We only check the yubikey public identifier. You get 16 bytes of extra entropy added to your password, but not full OTP validation.

Line 1316: https://github.com/zootreeves/blockchain.info/blob/master/WalletServlet.java

Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account.

This is absolutely not true.
legendary
Activity: 1904
Merit: 1002
https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.)

Not without your password.
hero member
Activity: 686
Merit: 564
https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.)
donator
Activity: 477
Merit: 250
maybe they work together with mtgox? with your auth at yubi activation you verfi some sort of public key? would be interesting if so

if totally erroneous: please, not in the face
sr. member
Activity: 266
Merit: 250
I know the mtgox yubis are different, but they must have support in the api.
Not that I would ever use mtgox.
member
Activity: 111
Merit: 100
https://blockchain.info/wallet/yubikey

How is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
Jump to: