
Inside Yubikey Neo - tasqa
http://www.hexview.com/~scl/neo/
======
vessenes
I like how polite Yubi and Hexview are in this exchange; a breath of fresh air
from an infosec company engaging with a security company! Makes me feel like
there are grown-ups both places, and that the work will help Yubi in future
iterations.

------
dombili
Off-topic, but I came across this tweet today.

[https://twitter.com/flexlibris/status/660108123487789056](https://twitter.com/flexlibris/status/660108123487789056)

> TSA at Boston airport tried to take my Yubikeys away from me to a second
> location "for a test". I refused & they backed off but FYI people.

If you have your Yubikeys with you while traveling, you might want to be
careful.

~~~
SystemOut
Why wouldn't you take them with you while traveling? The whole point is to use
them as part of your authentication chain.

~~~
dombili
You clearly misread or didn't read my comment because I didn't say anything
about not taking your Yubikeys with you while traveling.

>The whole point is to use them as part of your authentication chain.

I know and that's exactly why I said you might want to be careful with them
while traveling. If your keys are taken away from you and you don't have any
backup solution (such as recovery keys), you will get locked out of your
important accounts.

------
kweks
It seems that hardware breakdowns inevitably place a 'raw materials' costing
to ojects broken down, often (but less in this instance) - as a somewhat
passive-agressive dig at the company: "They sell it for $50, but it's only got
$10 worth of components in it!"

Outside of the obvious external costs (development, transport, overheads,
import, profit, etc), PCB + Tooling costs are often wildly underestimated.

For reference, a PCB of this size requires a setup + stencil template, which
would run ~ 400 - 500 USD.

Tooling for the plastic injection mold for this piece would run around 5000
USD, and each subsequent piece would probably cost around 10 - 50c USD.

Tooling + PCBA done right have significant upfront costs that often seem to be
forgotten.

~~~
nickpsecurity
To support your point, most of the delays in the JackPair Kickstarter involve
tooling for the casing. The recent one admits they should've talked to an
expert before they even settled on the prototype because they had no idea how
much trouble it would cause at manufacturing time.

Hence, the popularity of the Design for Manufacturing concept these days...

~~~
kweks
Tooling and injection molding is an arcane art. Most people would be amazed to
realise that the tooling to make even the yubikey would probably be around
45cm x 45cm of (almost) solid steel block.

They'd be probably even more surprised to find that it'd cost 10k - 15k to
make the tooling.

Diagnosing / 'debugging' issues with injection molding is incredibly difficult
- again - it's almost black magic, and it's sadly a skill that's getting
harder and harder to find.

If you cast your eyes around your desk / room, we see molded plastic parts
every where - so we make the assumption that they must be cheap and easy to
do.

And indeed - the assumption of facility due to availability is a very common
trap that many kickstart projects fall into.

It's harder to scaffold and pivot in real life ;)

~~~
hga
Apple justified their purchase of a Cray in part for this use case.

~~~
nickpsecurity
That's something else. You got a link for that?

~~~
hga
Nope, just contemporaneous memory, and by then I'd learned a lot about
manufacturing by working at LMI, so it was something I paid attention to. Try
e.g.
[https://www.google.com/search?q=apple+cray+injection+molding...](https://www.google.com/search?q=apple+cray+injection+molding+simulation)
which got me these two top hits:

ftp://ftp.cray.com/announcements/product/OLD/Moldflow_Partnership.930408.txt

[http://www.clock.org/~fair/computers/sgi-
cray.html](http://www.clock.org/~fair/computers/sgi-cray.html)

The latter should be authoritative, Eric Fair was an Apple sysadmin in the
'80s or thereabouts (and son of the Fair in Fair Issac, the inventors of
credit scoring).

And there were quite a few more links I didn't check out.

~~~
nickpsecurity
That's a trip! I didn't consider the need for a supercomputer because I knew
so little about the topic. Yet, the text file reminds me of the descriptions
on solving fluid dynamics problems where they had to do intensive simulations
to measure behavior of fluid in some situation. That's always advertised by
supercomputer vendors. Seems molding has similar requirements.

Extra funny if that exchange between Scully and Cray happened. One of
computing's more interesting synchronicities. :)

Btw, I recently found out that Cray had another company making a play in
reconfigurable market. He died in a car accident but they followed through
with interesting technology:

[http://srccomputers.com/](http://srccomputers.com/)

------
niels_olson
I accidentally ran over my Yubikey with my Honda Accord, on a key ring with a
fin key (1). I dusted it off and it works fine 6 months later. Seriously, if
you're in a position where you're using a Yubikey, getting another Yubikey
isn't that big a deal for the organization. In fact, if you're a solo
practitioner using something like Yubikey, I recommend you get another one and
just keep it in a lock box in the event you, say, run over the primary with
your car :)

(1) [http://www.amazon.com/FCS-Moulded-Steel-Fin-
Key/dp/B003JCQPX...](http://www.amazon.com/FCS-Moulded-Steel-Fin-
Key/dp/B003JCQPXM)

~~~
malandrew
It's actually recommended that you get two yubikeys and connect both to every
account and keep the backup safe.

------
ChuckMcM
Nice article, would be interesting to build something that HexView did, in
fact, find "nearly indestructible". Full disclosure I'm a fan of the Yubikey,
I think that something like it will be the future of operational security for
networks. Requiring the key be present to answer challenges helps a lot.

------
j_s
Read a much more detailed security review of the Yubikey as it works in
practice here:

[http://www.unrest.ca/yubico-reinvents-the-
yubikey](http://www.unrest.ca/yubico-reinvents-the-yubikey)

------
Luc
That's a lot of text to say nothing of interest. I really love how they
question the trade offs made in the PCB design, as if these things didn't
occur to the designers.

~~~
spectralblu
Disappointed that they did nothing to probe the onboard MCUs to see if they
could get it to leak anything, and just dismissed that with "we expect it to
get high marks there." This seems an awfully low quality report from an
infosec company. I was hoping to see an audit of the controllers onboard to
see if (and if so, how much effort) they can extract onboard secrets, because
after all that's the whole purpose of this device, to act as a secrets
repository.

~~~
detaro
First line of the page: _Yubikey is a curiosity-driven side project for us and
we have plans to dig a bit further into hardware as time permits. If anybody
could confidentially help with NXP datasheets, it would be much appreciated._

I guess they could have waited until they had more to publish it, but I found
it interesting regardless

~~~
danielvf
NXP processor manuals and datasheets are on NXP's website. Just google for
"13xx User Manual". Here's a link to 13xx series user manual[1]

(I've just finished a year working on an embedded project using NXP 13xx
series processors, and NXP's documentation is top notch.)

[1]
[http://www.nxp.com/documents/user_manual/UM10375.pdf](http://www.nxp.com/documents/user_manual/UM10375.pdf)

------
beagle3
While we're at it .. are there any other tokens/smartcards that could be used
for signing messages (ECC preferable, RSA acceptable)? I only know of YubiKey
and the KernelConcepts PGPcard.

~~~
X-Cubed
Nitrokey is another one:
[https://www.nitrokey.com/](https://www.nitrokey.com/)

~~~
beagle3
Thanks. Nitrokey looks nice. I'll have to look deeper into the github repo to
see what it actually supports in hardware though - the website does not
mention the smartcard standards that are actually supported.

~~~
jans23
Nitrokey Pro uses the OpenPGP Card, Nitrokey HSM uses the SmartCard-HSM.

------
justhere4beer
Hard to take your article seriously with statements such as "...Levels 1 and 2
of the FIPS140-2 certification are just a marketing gimmick". Even harder to
believe Jakob took the time to respond.

~~~
gruez
Hexview provided their reason for believing that. Care to explain why you
think otherwise?

~~~
nickodell
Original quote:

>That is not a big deal, considering that Levels 1 and 2 of the FIPS140-2
certification are just a marketing gimmick for most electronic devices.

They have a point here: technically, the iPhone is FIPS140-1/2 compliant. _By
itself,_ that doesn't mean that the device is secure. It does show two
important requirements for security.

~~~
justhere4beer
FIPS isn't trivial. There is a lot of shit crypto on the market, establishing
FIPS is not banal. Regardless of FIPS, if not utilized properly, it protects
nothing. If utilized correctly, it protects what it needs to. Discounting it
show lack of understanding.

