Knowing Yubico's company in 2014, I had a long grass in my heart. Has been concerned about this information, so that when Yubikey 4 was just released, he bought it without hesitation. I have been using it for more than half a year and I suddenly thought I could share this. Just reading Aunt Zhang found a share here, and the basic introduction also had it. I will add a few more words here as a supplement. The article is boring and basically has no map.
Yubikey, in short, is a hardware authentication device that supports OTP, public key cryptographic signature, and U2F protocol .
Yubico's official products
Yubikey
FIDO U2F Key: There are also many manufacturers that can achieve
Yubikey NEO: With NFC function Forced weapon (personal view NFC does not matter here)
Yubikey 4 Nano: It's so small that watching an official video doesn't have to be taken after inserting the USB port.
So I chose Yubikey 4
Simply speaking, YubiKey can work in three modes at the same time:
Traditional keyboard device mode : Yubico OTP, Challenge-Response, static password, HOTP, etc. This mode has two slots, corresponding to short press and long press operation, generating two types of passwords.
Smartcard Mode : OpenPGP card and PIV card can be used to securely store RSA private keys
U2F mode : A two-step authentication protocol supported by websites such as Google, Dropbox, Github
The three functions mentioned above can be used simultaneously and do not conflict with each other.
Yubikey 4
Yubikey 4 Nano
Yubikey 4 NEO
Yubikey FIDO U2F Key
Under my influence, my colleagues around us began to accept and use Yubikey. Last time, my colleagues had teamed up more than 10 times. When the goods were just received, they were robbed. Fortunately, I took some photos.
Xiao Bian said that there is no physical map of the picture, and then I will upload several physical maps.
Yubikey 4 physical map
Yubikey 4 physical map 2
Yubikey 4 Nano Edition is really mini
Retail packaging is very simple
retail package
Yubikey NEO with NFC function
Comparison of Yubikey 4 and Yubikey NEO
This part is relatively simple and can be graphically configured using yubikey-personalization-gui.
HID can simulate a keyboard device to input a series of generated passwords to the computer. The compatibility is best. It also includes several modes: OTP, Static, Challenge-Response, HTOP,
OTP: KEYID+AES(AESKEY, SECRET, COUNT++) The generated password contains the clear text KEYID and symmetrically encrypted SECRET and counter. Before the first use, the KEYID, AES_KEY, and SECRET must be submitted to the authentication server (Yubico provides or builds them on their own), and then the application verifies the reliability of the password each time the server passes (SECRET correspondence after decoding, COUNT increase (prevent replay attack). )).
Static: Static password. As the name suggests, it generates a fixed string of passwords each time (and it is useless).
Challenge-Response: HMAC (SECRET, INPUT) can give an input through the HID interface and input the HMAC calculation result. Input needs to be implemented in native code.
HTOP: The HMAC (SECRET, COUNTER++) algorithm is similar to Challenge-Response, however, an accumulator counter is used instead of an input, and HTOP is a standard protocol that many websites and devices are compatible with. There are two configuration slots in the YubiKey. Each slot can be individually configured with one of the above modes. The input is selected by short touch and long touch.
Since Yubico OTP requires an authentication server (yubico cloud by default) for authentication, if you modify the Yubico OTP configuration, you need to upload the key and other information to the Yubico Cloud. Click here for an official document with pictures and texts.
OpenPGP CardIf you use GPG for encryption and signing, OpenPGP Card can further enhance security and convenience. YubiKey can be used as a standard OpenPGP Smart Card to store the PGP private key (the private key in the device is writable and unreadable, and the decryption/signing operation is done on the device).
First you need to set up YubiKey.
Gpg --card-edit open settings
First, open the management mode by typing the admin command. You can use the help command to view the help. Then use the passwd command to set the PIN, Admin PIN, and Reset Code, which can be letters and numbers. The default value of the PIN is 123456, and the default value of the Admin PIN is 12345678. Please keep in mind these three passwords.
The PIN code is the most commonly used password. If you enter the wrong password three times, it will be locked. You need to use the Reset Code to unlock it. The Reset Code is entered three times and you can only physically reset it. Admin PIN is the password used for management card information (such as adding a key or changing password). It cannot be shorter than 8 digits. If you enter the wrong password three times, the management function is locked and you can only physically reset it. Remember, never enter a password shorter than 8 digits when you need to enter the Admin PIN. This will lock directly. Don't blame me for not reminding you! ! !
A GPG key contains multiple RSA key pairs, a pair of master keys, several pairs of different use subkeys, and a pair of keys including a public key and a private key. In general, gpg --gen-key includes a pair of master keys that can be used for signing; a pair of child keys is used for encryption.
It is not recommended to put the master key in the YubiKey because the master key has an important function that is to maintain the social relationship. As the time passes, the subkeys may change frequently. Others only need to remember your master key ID and you can always Update. If you put your master key in YubiKey and you lose it, then you cannot prove that you are you.
U2F twice authentication
Many websites now offer two authentications to enhance security, such as Google, Dropbox, etc. The common two-time authentication is to use the Google Authenticator, Duo Mobile and other tools to generate TOTP (Time-based One-Time Password). Every time you log in, you have to open your phone to run the App. It is always troublesome, and U2F can be inserted. YubiKey completes the certification with a touch of a button.
Do not think about domestic websites! ! !
At present, only Google Chrome browser fully implements U2F support, and Firefox needs to install plug-ins. Given the diversity of features implemented by YubiKey, it is still very rich in its use/tossing scenarios. For example:
Used as a website for two-step verification, such as Google, Dropbox, Fastmail, etc. for the operating system login, the official provides the PAM module to support Linux and OS X use OpenPGP signature, decrypt files...
SAMSUNG Controller Board Card, in stock.
Panasonic Sensor
Juki Sensor
Juki Laser Sensor
Juki SMT Sensor
Laser Sensor
Juki Cylinder
Juki Square Cylinder
Juki Air Cylinder
Cylinder Square
Square Cylinder
Fuji Original Cylinder
Fuji Sensor
Original Cylinder
Smt Cylinder
Air Cylinder
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J4901008A CD05-900004 CPU[INTEL CELERON733Mhz]
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J4901013A CD05-900007 CPU[PENTIUM IV 3.2C GHz(800MHz) 512 Cach
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J4901014A CD05-900008 CPU[INTEL CELERON 1.2GHz]
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J4901015A CD05-900009 CPU[PENTIUM IV 3.2E GHz(800MHz) 512 Cach
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J49011004A CD05-900010 CPU PENTIUM(D)-945
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J49011005A CD05-900040 RAM DDR2-512
SAMSUNG PICK AND PLACE MACHINE SPARE PARTS J49011006A
Controller Driver Boards Card,Samsung Controller Board Card,Samsung Control Pcb Board,Samsung Controller Driver Boards
Shenzhen Srisung Technology Co.,Limited , https://www.sr-smts.com