Yubico: Secure Hardware vs. Open Source

In discussions like this the phrase &quot;security by obscurity&quot; gets used as an accusation. We all agree &quot;security by obscurity&quot; does not work. But that&#x27;s not what is happening here.<p>Wikipedia&#x27;s definition: &quot;the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.&quot;<p>Youbico isn&#x27;t saying that the security of the device is increased by keeping the source code secret.<p>They say they are increasing the security by things like this: disabling user-loading of new firmware (which could be a bad actor loading bad firmware), using hardware with built-in side-channel countermeasures, and disabling JTAG ports (which could be used for key extraction).<p>This isn&#x27;t obscurity. These are some good engineering arguments. Engineering is always full of trade-offs.

&gt; we, as a product company<p>The most important thing any security company needs to realize is that their primary product is their reputation, not the physical or digital goods that they produce. &quot;We, as a product company&quot; is totally the wrong attitude. There&#x27;s really no question about it, every ounce of closed source software&#x2F;hardware in a security offering is something the customer should be concerned about it.<p>From a product perspective it totally makes sense to be worried about open sourcing the entire design. &quot;Our competition will make clones!&quot; And that may be true of every other kind of product. But would you buy a cheap knockoff Yubikey? I certainly wouldn&#x27;t. Again, reputation is the key here. That&#x27;s what a security company sells to their customers. Confidence that when they buy from company X they know that company X has put the best engineers to the task and crafted a device that will protect their valuable digital information.<p>A company can build up a reputation in the security industry, produce world class hardware and software, and charge a sharp premium on it, because security is _so_ important and protects some of our most valuable assets. That premium is completely derived from the trust that they&#x27;ve garnered. It&#x27;s insane for Yubico to squander theirs under some false sense of IP security.<p>EDIT: And all that said, I totally understand where they&#x27;re coming from on some of their points. They have to depend on chip manufacturers, and chip manufacturers are just the absolute worst when it comes to open source and security. Sometimes there are hard constraints and compromises have to be made. Most of cryptography is a trade-off. So don&#x27;t take my comment to mean that designs absolutely have to be 100% open source. That&#x27;s infeasible most of the time for hardware. But Yubico should be striving for it and pressuring the market.

It&#x27;s a shame to see that they used the goodwill of security-conscious cryptonerds to gain a foothold on the market only to, effectively, say &quot;We&#x27;re now targeting enterprise and government who can afford to pay for third party contracting security auditors. You can&#x27;t, so just take our word that it&#x27;s secure.&quot;<p>Other companies have managed secret distribution for secure devices just fine - randomise the card manager key and bundle a tamper proof packet containing the key along with the product. Provide instructions on how to verify the integrity of the packet, and confirm a digitally signed affirmation of the key against Yubico&#x27;s public key online.<p>That&#x27;s more than RSA offers for SecurID seed verification and more than my business bank offers for two factor device PIN integrity checking.<p>I&#x27;m not sure who they use for their Secure Element (NXP?) but it also sounds like Yubico has gone along with their request (and NDA) to keep implementation details secret. We&#x27;ve seen a similar situation in SE implementations in mobile phones (for contactless payment, primarily).<p>Again, enterprise customers don&#x27;t care (mid-sized one have insurance that will cover loss if their Common Criteria EAL 5+ vendor&#x27;s hardware is compromised, big enterprise can pay for auditing). Governments don&#x27;t care (they&#x27;ll pay for auditing or negotiate it in any significantly high volume contract).<p>End users and the tech community are the only groups who&#x27;ll really lose out here.

I&#x27;ve studied high-assurance security and hardware for a long time. This looks to be motivated by a few things:<p>1. Hardware cost money to develop, has to make it back, and is easy to clone. They&#x27;ll keep hardware secret by default for this reason like everyone does. Also lowers odds of patent suits. All kinds of people demand open, secure hardware but almost nobody will buy it. Just like software. Number 1 problem in the INFOSEC industry.<p>2. There&#x27;s three companies IIRC building the kinds of secure IC&#x27;s they need. They NDA the stuff critical to understanding it. Plus, the implementations are secret with tamper-resistance mechanisms. Pointless relying on open-source model to understand or evaluate such a thing. Some marginal benefits but major risks would still be there. Whereas, open-sourcing the stuff <i>adds</i> risk in terms of issues with the suppliers. So, no OSS is an acceptable choice here.<p>3. Restricting some of the firmware&#x2F;software is a tradeoff of the protection methods they&#x27;re using. Again, reduces value in open-sourcing it as you&#x27;d have to dump it off the chip to verify it anyway. The kind of people that can do that don&#x27;t need Yubico&#x27;s help.<p>4. Yubico might not know how to build secure HW&#x2F;SW combos. It&#x27;s a rare skill whose techniques are a mix of published and trade secrets. Plus, attackers are always coming up with new stuff. So, obfuscation... not security by obscurity... but obfuscation of aspects of design to increase work of attackers between product releases is both justified and a proven method. If no other measures exist, then it would be the garbage known as security by obscurity. This seems to be better practice of proven mechanisms plus obfuscation which can hamper even nation-state hackers. Who knows how good <i>their</i> mechanism are going to be but there&#x27;s potential.<p>So, it seems like a combination of sustaining their business by stopping clones and lawsuits with improved branding from effects of obfuscation &amp; hardened IC&#x27;s on low-skilled attacks that dominate the press. Two, very-good reasons to make a decision in this market. It&#x27;s just economics in action. :)

After thinking through the initial &quot;this is terrible&quot; reaction, I actually don&#x27;t mind what they&#x27;re doing. Even though if there was an equivalent solution that was based on open source I&#x27;d definitely choose it over YK 4.<p>I also don&#x27;t see anything that would really prevent them from just releasing the source they&#x27;re using, even if we can&#x27;t realistically do anything useful with it. The whole point of those systems is that it&#x27;s secure via algorithms and hardware silos - releasing their sources shouldn&#x27;t change anything.<p>But in practice it doesn&#x27;t really matter that much - as long as they use standard interfaces and replace your key for free if someone finds a vulnerability, I&#x27;m (cautiously) fine with their new position. I think a big part of the issue is that they did something better before, but if they started with the current design, people wouldn&#x27;t really complain about it that much.

Couldn&#x27;t a hardware vendor theoretically provide read-only access to the firmware and then have an open-source reproducible build process so that anyone can build their own copy of the firmware and verify that the firmware on the device is bit-for-bit identical? Wouldn&#x27;t that satisfy people who want to be sure of what code is running on their device while still preventing an attacker from loading custom firmware?

The argument for disabling loading new firmware <i>on your own device</i> is valid. It prevents an outside actor loading malicious firmware. But it&#x27;s a tradeoff: it means that if a vulnerability is found, the device has to be replaced, and users can&#x27;t customize their firmware. That&#x27;s a good tradeoff; I&#x27;d rather risk paying for a new Yubikey than risk a security compromise, and most users are unqualified to verify the security of firmware being loaded onto the device.<p>The problem is, it&#x27;s not a tradeoff <i>Yubico</i> have to make. They can allow users to achieve the same goals by distributing the device un-flashed, with the source code to the firmware. Upon flashing, the firmware would disable further flashing. If the user doesn&#x27;t like this tradeoff, the user can choose to change the code. As a courtesy to more trusting users they could provide the service of optionally flashing devices for you. And qualified users can verify the security of the firmware before loading it.<p>But by flashing the devices themselves, Yubico has chosen the worst of both worlds. Now an outside actor can once again add malicious firmware: <i>Yubico is an outside actor</i>. AND nobody can verify the security of the firmware. This isn&#x27;t even a tradeoff, it&#x27;s just a loss.

I am pleased they took the time to respond in length. It makes a bit more sense now (NDAs, hardware manufacturers, etc...) vs. the &#x27;security by obscurity&#x27; mantra prevalent in the replies.<p>I have had my own business, and the one thing I would say to the critics of Yubico: If you have a way, given existing hardware and software tools and suppliers, to do a better job, step up and do it. AFAIK, Apple didn&#x27;t opensource their hardware related to crypto, or their software.<p>I think you will find it takes more than wishful thinking; more like, put your money ( = or your time) where your mouth is. Engineers, and I don&#x27;t just mean CI engineers here, know it is a long way from a math equation or set of equations to a real world working object. I would love to see, and I would contribute money to an opensource solution. I just don&#x27;t think it is as cookie-cutter simple as the majority of comments seem to intimate on this forum.

BTW, the two major manufacturers they&#x27;re talking about are NXP (<a href="http:&#x2F;&#x2F;www.nxp.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.nxp.com&#x2F;</a>) and Infineon (<a href="http:&#x2F;&#x2F;www.infineon.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.infineon.com&#x2F;</a>). STMicroelectonics (<a href="http:&#x2F;&#x2F;www.st.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.st.com&#x2F;</a>) is also a player here and Feitian has also started doing it (<a href="http:&#x2F;&#x2F;www.ftsafe.com&#x2F;product&#x2F;epass&#x2F;eJavaToken" rel="nofollow">http:&#x2F;&#x2F;www.ftsafe.com&#x2F;product&#x2F;epass&#x2F;eJavaToken</a>). NXP and Infineon are notoriously hard to get started with for small companies and independent developers but they have some very clever proprietary stuff in their chips.

Very long post. Apparently, very simple explanation: they want to use NXP hardware, and NXP requires NDAs, preventing them from meaningfully opening source code to the platform.

This reads more like an excuse then a reason. Nothing of what he says is a reason that prevents them from being more open.<p>All that he says is summarized in &quot;it was too hard to think of a solution, so we didn&#x27;t do it.&quot;

My opinion on this is that physical security is paramount. Your threat model can&#x27;t possibly eliminate all threats from an adversary that has physical access.<p>No hardware is 100% secure and for Yubico to say this issue is about &quot;Secure Hardware vs. Open Source&quot; seems like a red herring. Perhaps they are just trying to protect their business model? After all, there isn&#x27;t anything particularly unique about the hardware.

well, it&#x27;s a shame that poor arguments get recycled like this, but it does make for easy dismissal - cryptography is based off of the idea that the methods used totally transparent, the power to decrypt comes from possession of the appropriate keys. by closing a design, hiding it from scrutiny from the majority of hackers like ourselves, helps no one other than the individuals who wish to gain unauthorised&#x2F;unwanted access.<p>this is a fundamental concept in FOSS and for anyone to try and rationalise their way out of it - be it out of some corrupted sense of trying to do the right thing - is absurd.<p>fortunately i feel that the very people that would be interested in this device will be aware of this; i hope the folks at yubico reverse this decision.

This story made me think a bit about devices like the Yubikey. I&#x27;d really like one to store my keys to sign mail, or for two-factor-authentication. But the main selling point, the tamper-resistant secure-enclave-like chip, is something I don&#x27;t need. I&#x27;d rather have a tiny microcontroler in USB format that I can program myself and understand nearly 100%, with no secret code going on.<p>My reasoning: I don&#x27;t need physical tamper-resistance for my threat scenario - if it is stolen by a random thief, a coworker, a &quot;friend&quot;, etc..<p>But if I was attacked by a nation-state-like actor, I cannot trust any security measure of the device. How do I know the NSA does not have a copy of every &quot;random&quot; card-manager key? How do I know that generated keys are not subtly biased so that they can be guessed easily? Or that there is not a secret function to extract them? Even if Yubico is 100% honest and their device is clean, I must assume that if e.g. the NSA were after me, they have the technology to extract the keys from the device, no matter what protection it has.

I understand where they&#x27;re coming from. Though it would be even braver for them to get into the IC design game, and make a chip with the properties they desire. They can then publish whatever they would like about that chip.

tl;dr: code is closed and I can&#x27;t change it anyway so it shouldn&#x27;t matter to me.<p>I hope the response from consumers will be: we understand your position. Unfortunately that is unacceptable and we&#x27;ll look for another vendor. It is mine. I own a Neo, not getting any of their future products.<p>Also as a strategic guideline...maybe if you&#x27;re in the business of security...don&#x27;t use hardware that requires NDAs. Yes it&#x27;ll make it impossible to do some stuff and more expensive to do some stuff but I&#x27;d say there&#x27;s really no option to compromise.

While it is good that they are implementing all these hardware security features, I think that we are in general over thinking the whole thing.<p>Their current industrial design very clearly says &quot;hey, I am an important security key&quot;, which is exactly the wrong thing to do.<p>It should instead look like a cheap flash drive. And when the thief plugs it in, he sees exactly that, a low capacity USB flash drive, unencrypted, with some random documents on it.<p>Is the thief at this point going to perform some sophisticated hardware hacking? No, it will just get thrown away.

The industry of smartcards and similar devices has annoyed me for a long time, mainly due to its failure to provide a secure general purpose computing environment and get out of the way. I wrote about it some time ago: <a href="https:&#x2F;&#x2F;www.devever.net&#x2F;~hl&#x2F;smartcards" rel="nofollow">https:&#x2F;&#x2F;www.devever.net&#x2F;~hl&#x2F;smartcards</a>

I have been a long term user&#x2F;promoter of yubikeys. But today I ordered a Nitrokey Pro. They seem to be the better choice now. Definitely more open and with pen tests of hardware and firmware on their website. All schematics and firmware on GitHub.

You can get blank &#x27;java&#x27; smart cards and load open source applets on them, you don&#x27;t need Yubico.<p>Personally I only tried IsoApplet, but openpgp applet should work too.

Each key&#x27;s signature is randomized.... brilliant. So buying 1000 of the keys doesn&#x27;t give an attacker an advantage. Certainly flies in the face of FOSS, but this is about security... I&#x27;ll be watching this closely to see Yubico&#x27;s actions. I think so far this is a great response and I look forward to a non-sensationalist rebuttal.

I thought about this for awhile, and here are my thoughts about having the source code:<p>With the older YubiKey NEO devices, the applet source was available and I could freely upload an applet. This was great for a few reasons. I could modify or upgrade the app (of course, doing so would cause me to lose existing keys, which makes sense from a security PoV). (I actually did this on my old YubiKey.) I could also, in principle, audit the app. And, if I trusted Yubico to get their security right, I would trust that my freshly-arrived-in-the-mail device was secure. Moreover, if I trusted Yubico not to act maliciously, then the applet on the device I got in the mail would match the firmware on github, and I could trust that it did what I thought it did.<p>There were, of course, problems. The GlobalPlatform platform is awkward to use, the toolchain is terrible, and the key management is awkward at best.<p>I could not trust that a key I installed in the OpenPGP applet while my computer was compromised was secure.<p>With the new locked-down NEO devices, I can&#x27;t change out the applets, and the bad guys would also have trouble doing so. As before, if I trusted Yubico not to act maliciously, then the applet on the device I got in the mail would match the firmware on github, and I could trust that it did what I thought it did. Also, as before, I could not trust that a key I installed in the OpenPGP applet while my computer was compromised was secure (because an attacker would simply export it before uploading rather than swapping out the whole applet).<p>Enter the YubiKey 4. If I use one, I am completely at the mercy of Yubico and their third-party audits. I cannot audit the code myself. Even if I trust Yubico not to act maliciously, I have to take them entirely at their word that they didn&#x27;t accidentally mess up. And, of course, I cannot not trust that a key I installed in the OpenPGP applet while my computer was compromised is secure.<p>In other words, there&#x27;s a big difference between source-available and source-not-available, even if I can&#x27;t personally verify that the source I think I&#x27;m running is the source I&#x27;m running.<p>As an aside:<p>&gt; There is an inverse relationship between making a chip open and achieving security certifications, such as Common Criteria. In order to achieve these higher levels of certifications, certain requirements are put on the final products and their use and available modes.<p>This may well be true, but, if so, it&#x27;s a sad statement about Common Criteria and their misguided rules. Publicly disclosing the source code of an EAL5+ device should not reduce its supposed security level.<p>With SGX, Intel had the chance to offer a widely available security token (built in to every new CPU!) that anyone could freely program and use for their own security purposes. They blew it when they created their &quot;launch control&quot; policy, which essentially says that developers who don&#x27;t sign lots of contracts (which you can&#x27;t even <i>read</i> without an NDA AFAICT) can write an applet but can&#x27;t run it. The Linux community, at least, is pushing back <i>hard</i>, and this just might change in the next generation of CPUs or maybe even sooner. Fingers crossed.<p>This inspires a challenge to Yubico: give me a hardware token that runs applets. Let the token attest to the hash of a running applet, but let it run any applet whatsoever. If I want to verify that I&#x27;m running the bona fide Yubico OpenPGP applet, I can check the hash myself. If I want to replace it, I can, but then the hash will change. It&#x27;ll be hard: you&#x27;ll have to figure out a real isolated execution environment. It&#x27;s definitely doable, though.

Summary:<p>&quot;If you have to pick only one, is it more important to have the source code available for review or to have a product that includes serious countermeasures for attacks against the integrity of your keys?&quot;

Simply put, all things equal, the device will be reverse engineered and exploited sooner by well funded governments than a hacker collective.<p>Even worse, you won&#x27;t know when the device becomes obsolete. So you might be buying an insecure solution from the start.

A lot of handwaving which may throw those off who haven&#x27;t pondered the design constraints of hardened hardware. But alas, it essentially boils down to the same reason that every productized solution goes closed: it&#x27;s the expedient lazy option. Age-old antisecure solipsism.