YubiKey Validation Architecture


CSCF does not utilize the Yubico supplied public validation cloud for performing OTP validation. Rather we have implemented are own OTP validation infrastructure as outlined below. No validation request or YubiKey secrets leave the University.

YubiKey OTP Validation in CSCF is implemented through a cluster of synchronized, web based Validation Servers - called YK-VAL. An OTP validation request may be sent to any cluster YK-VAL via https. If a YK-VAL does not respond, CSCF clients are configured to fail over to an alternate YK-VAL if contact can not be established.



When an OTP validation is required by a client - through a PAM stack module for example - the user uses the YubiKey to generate an OTP. The OTP is a forty-four (44) character string composed of a twelve (12) character public device identifier followed by a thirty-two (32) character AES encrypted passcode. The passcode is the "one time" component of the OTP, the device identifier is always the same. The generation and encryption of the passcode is done internal to the YubiKey using internal counters and a 128-bit AES key that was encoded into the YubiKey at time of initialization. The final OTP is output in a format called 'modhex'. It is this forty-four (44) character modhex string that is forwarded to one of the YK-VAL.

Upon receiving the OTP for validation, a YK-VAL in turn forwards the modhex string, again via https, to a cluster of Key Storage Modules - called YK-KSM - for decryption of the OTP.

As with the YK-VAL, YK-KSM clients may use any one of the YK-KSM and are configured to fail over to an alternate if contact can not be established. A YK-KSM retains the secret AES key for the YubiKey to perform the decryption process. Using the AES key that corresponds to the included device identifier, the YK-KSM decrypts the passcode portion of the OTP and sends results back to the calling YK-VAL, again via https. The YK-VAL will compare the decrypted passcode and counters to the last passcode and counters recorded for the YubiKey in the YK-VAL database. With this information the YK-VAL will render a pass or fail response for the client.

CSCF Active Directory Layout

Technically, the YK-KSM service could be built into the YK-VAL cluster. However, this could put the YubiKey secret AES keys at greater risk of exposer. Every client system that uses YubiKey validation will require web access to the YK-VAL servers. However, these client systems do not need web or any other access to the YK-KSM service - only the YK-VAL servers need to contact them directly. Placing the YK-KSM service on separate servers from the YK-VAL allows the administration to firewall the YK-KSM against web access except for connections from the YK-VAL servers. Yubico recommends this security arrangement.

-- ClaytonTucker - 2015-07-23

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r8 - 2015-07-29 - ClaytonTucker
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback