Use YubiKey for Anti-Evil-Maid?
125 views
Skip to first unread message
Eric
Nov 12, 2016, 3:07:19 PM11/12/16
to qubes-users
Is there any way to use a YubiKey for Anti-Evil-Maid, instead of just a regular USB flash drive? I imagine (though I will be the first to say that I don't know), that the firmware on it is much less resistant to compromise/BadUSB attacks, and since it crypto something something, it seems a natural fit.
Of course, I haven't seen the code for AEM, and I know that it's a program instead of just a keyfile. Is there any possibility of two factor authentication for anti-evil-maid? IE, passphrase and a YubiKey?
Andrew David Wong
Nov 12, 2016, 6:19:11 PM11/12/16
to Eric, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-11-12 12:07, Eric wrote:
> Is there any way to use a YubiKey for Anti-Evil-Maid, instead of just a regular USB flash drive?
AFAIK, yes, but I haven't personally tried it, since I don't own a YubiKey.
> I imagine (though I will be the first to say that I don't know), that the firmware on it is much less resistant to compromise/BadUSB attacks, and since it crypto something something, it seems a natural fit.
>
There are, indeed, security considerations regarding the choice of medium for an AEM drive. Take a look at this issue:
https://github.com/QubesOS/qubes-issues/issues/1980
And this associated discussion thread:
https://groups.google.com/d/topic/qubes-users/I5clx1E-S9M/discussion
> Of course, I haven't seen the code for AEM,
Why "of course"? The source code is freely available for all to see:
https://github.com/QubesOS/qubes-antievilmaid
> and I know that it's a program instead of just a keyfile. Is there any possibility of two factor authentication for anti-evil-maid? IE, passphrase and a YubiKey?
>
Well, there's been some work done on using a YubiKey as a second factor for logging in to Qubes, but it's for the lock screen, not for AEM:
https://www.qubes-os.org/doc/yubi-key/
I'm not sure if it'd be possible to do with AEM, since that prompt is so early in the boot process.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYJ6NoAAoJENtN07w5UDAwihQP/1MF4QStLEXh2WaTQ9rWaICC
ytB/kpujfvGvATB23/OkQ3qGElziBVQ308FYWXIs2HGHSteJPeH2Wx0EYpWjUgtf
6GgkVMjcQRFmIzbl29ZvcftrF1YhdV6HRHy+/DmdEAwfGu6sl4FHnoUV0/R2EaSf
AhbUpM4u0Y5G9ecqUz/lOVlvnKbX5UBuwE6gDPNEdMgHq6rVU28TsSw581UHxi/c
RmBEagnoZfYutVLNYTGOM/wDUgGAUDsZprD0DYurFdwWp4Mut2SQYqOFRcEucpdX
Cympsp8mzQf19LLgmjrYEALMbO+HL7XYa6mly1eWoPErWgJpMWpP3D1W3y1wYVm3
On6wB3rDZnCxoQUls9jgdQjyS9QI4Fu4d0UZD6EkO+K5XR8cdwrnl/1nkJGq6nK6
kio5gp2DiNz2WMbpzKh7HHGh5qPD14xHuLRxHzPw/pp0xCcKF/WBAo9NhXheh6sl
mBHAlEMdlc0nB5M8YjcAfaluCEsNz7mA+fEBGKV28UNJsGyUub0wY6LbQVXGBxSx
6bjvVWr9QE12RuqmV9NPOilFGmznmJ7Ml9zwnkOd2cgBuGSIjF2Skp9ag/Pv+cOY
bulkrJnb8+8Wdvt5d7H9wXvjYOum9OeY7rhIYmKpXtLK8D4YjL2sOuS0vJ3aH+Mx
xmqQWHd5VjaFE1lWL+21
=AsT6
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-11-12 12:07, Eric wrote:
> Is there any way to use a YubiKey for Anti-Evil-Maid, instead of just a regular USB flash drive?
> I imagine (though I will be the first to say that I don't know), that the firmware on it is much less resistant to compromise/BadUSB attacks, and since it crypto something something, it seems a natural fit.
>
https://github.com/QubesOS/qubes-issues/issues/1980
And this associated discussion thread:
https://groups.google.com/d/topic/qubes-users/I5clx1E-S9M/discussion
> Of course, I haven't seen the code for AEM,
https://github.com/QubesOS/qubes-antievilmaid
> and I know that it's a program instead of just a keyfile. Is there any possibility of two factor authentication for anti-evil-maid? IE, passphrase and a YubiKey?
>
https://www.qubes-os.org/doc/yubi-key/
I'm not sure if it'd be possible to do with AEM, since that prompt is so early in the boot process.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYJ6NoAAoJENtN07w5UDAwihQP/1MF4QStLEXh2WaTQ9rWaICC
ytB/kpujfvGvATB23/OkQ3qGElziBVQ308FYWXIs2HGHSteJPeH2Wx0EYpWjUgtf
6GgkVMjcQRFmIzbl29ZvcftrF1YhdV6HRHy+/DmdEAwfGu6sl4FHnoUV0/R2EaSf
AhbUpM4u0Y5G9ecqUz/lOVlvnKbX5UBuwE6gDPNEdMgHq6rVU28TsSw581UHxi/c
RmBEagnoZfYutVLNYTGOM/wDUgGAUDsZprD0DYurFdwWp4Mut2SQYqOFRcEucpdX
Cympsp8mzQf19LLgmjrYEALMbO+HL7XYa6mly1eWoPErWgJpMWpP3D1W3y1wYVm3
On6wB3rDZnCxoQUls9jgdQjyS9QI4Fu4d0UZD6EkO+K5XR8cdwrnl/1nkJGq6nK6
kio5gp2DiNz2WMbpzKh7HHGh5qPD14xHuLRxHzPw/pp0xCcKF/WBAo9NhXheh6sl
mBHAlEMdlc0nB5M8YjcAfaluCEsNz7mA+fEBGKV28UNJsGyUub0wY6LbQVXGBxSx
6bjvVWr9QE12RuqmV9NPOilFGmznmJ7Ml9zwnkOd2cgBuGSIjF2Skp9ag/Pv+cOY
bulkrJnb8+8Wdvt5d7H9wXvjYOum9OeY7rhIYmKpXtLK8D4YjL2sOuS0vJ3aH+Mx
xmqQWHd5VjaFE1lWL+21
=AsT6
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages