Clipperz with SecurID?

5 views
Skip to first unread message

Jim Dunlop

unread,
Aug 12, 2008, 12:50:27 AM8/12/08
to Clipperz
What would be involved in developing such a matchup? I can think of
no better way to access my accounts than a SecurID FOB or something
very similar... Right now, I have a passphrase to access my Clipperz
account -- but it is long. Really long. (Think: paragraph), and
although secure, takes a while to input. Any program or webapp (like
Clipperz) is only as secure as its master password, and any form of
"strong password" is a bugger to remember -- which is why I got
Clipperz in the first place -- so I could use strong passwords with my
online banking and credit card stuff.



Giulio Cesare Solaroli

unread,
Aug 12, 2008, 4:01:11 AM8/12/08
to drinkacu...@gmail.com, Clipperz
Hello Jim,

we already had a long discussion on the option to integrate the
Yubikey to simplify the access to the Clipperz service.

The problem is that all these solutions (SecurID, Yubikey, etc...)
allows for an easy and convenient way for an user to identify itself;
but this is just half of the story to access the Clipperz service.
Once the system has identified you, you need to provide a strong
secret to decrypt all your data.

Other systems have a two steps login, where they first ask for a
"regular" password to identify the user, and later on they ask for
another password to decrypt the content stored on the server.

The first step would be easily integrate with SecureID and Yubikey,
but you will always end up having to insert a strong password
directly.

While designing Clipperz we immediately realized that this two steps
login procedure would have been a pain in the neck for the users, and
so we found a secure way to combine the two steps together. But behind
the scene, we do perform both steps anyway.

At this point we have not found any reasonable / affordable and
convenient way to provide a strong secret to decrypt all your data but
asking for a secure passphrase. As we can not skip this step, we have
at least avoided any further burden on the user.

Hope this helps understanding better the problem.

Best regards,

Giulio Cesare

v.ovcacik

unread,
Sep 12, 2008, 6:04:08 PM9/12/08
to Clipperz
Hello Giulio,
thanks you I now understand how yubiko works. I was really full of
enthusiasm when I learnt about yubikey, real "wow" effect :-)
So you could say with yubico: "Yes, you are really this user, but we
are sorry, your data are encrypted. Give us your passphrase anyway!"
But I think there is reasonable way to use yubikey with clipperz:
If an user would be forced to type his username, passphrase (like now)
and even provide yubico passphrase. Would it have some efect?
I think it would be better protection against possible keyloggers?

On 12 Srp, 10:01, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com>
wrote:
> Hello Jim,
>
> we already had a long discussion on the option to integrate theYubikeyto simplify the access to the Clipperz service.
>
> The problem is that all these solutions (SecurID,Yubikey, etc...)
> allows for an easy and convenient way for an user to identify itself;
> but this is just half of the story to access the Clipperz service.
> Once the system has identified you, you need to provide a strong
> secret to decrypt all your data.
>
> Other systems have a two steps login, where they first ask for a
> "regular" password to identify the user, and later on they ask for
> another password to decrypt the content stored on the server.
>
> The first step would be easily integrate with SecureID andYubikey,
> but you will always end up having to insert a strong password
> directly.
>
> While designing Clipperz we immediately realized that this two steps
> login procedure would have been a pain in the neck for the users, and
> so we found a secure way to combine the two steps together. But behind
> the scene, we do perform both steps anyway.
>
> At this point we have not found any reasonable / affordable and
> convenient way to provide a strong secret to decrypt all your data but
> asking for a secure passphrase. As we can not skip this step, we have
> at least avoided any further burden on the user.
>
> Hope this helps understanding better the problem.
>
> Best regards,
>
> Giulio Cesare
>

Giulio Cesare Solaroli

unread,
Sep 23, 2008, 4:04:47 PM9/23/08
to v.ov...@gmail.com, Clipperz
Hello,

using yubico on top of the current username/passphrase authentication
would provide very little help into protecting the user. A keylogger
would in fact be able to get access to the real valuable data
(username and password) anyway.

The only improvement would be that the server will not provide the
actual data if the yubico key does not match. But we are already
suggesting our users to take regular offline copies of their data, and
so the logger could probably easily search for the same data locally
on the computer itself.

It would be definitely an improvement but in my personal opinion, the
(security) gain is not worth the (usability) pain.

Thanks for sharing your idea with us.

Best regards,

Giulio Cesare

Reply all
Reply to author
Forward
0 new messages