im trying to enforce PIN complexity for PIV certificates.
The PIV Manager (which as i understand is no longer under developement) had an option to enforce this, but the YubiKey Manger does not have such an option afaik.
So im forced to use the PIV Manager, if want to enforce this. The "interesting" part is, when i enforce the PIN complexity via PIV Manager, im still able to set "11111111" via the YubiKey Manager.
This means the YubiKeyMangager straight ignores the settings, set via PIV Manager. Also this seems like a security risk if i can just overwrite the pin, ignoring the complexity enforcement.
Is there any way to enforce the PIN complexity via the YUbiKey Mangager, or can i ensure that it does not ignore the settings set via PIV Manager?
PIV PIN Complexity on the YubiKey is not natively supported on the firmware. The YubiKey stores the PIV PIN internally as a byte string, but cannot translate it to readable text and apply complexity rules when the PIN is being written to the YubiKey.
However, the YubiKey can easily check the length of the PIN byte string on write, and reject PINs which do not fall into the allowable length defined by the NIST PIV specifications.
The NIS PIV specifications do not set complexity requirements for PIN values beyond length, so the implementation on the YubiKey is compliant with their guidance.
Some tools used for setting the PIV PIN on the YubiKey have internal checks on complexity, but these are executed prior to the PIN being written to the YubiKey hardware. In these cases, the complexity is only enforced at the tool level, and can be bypassed (as noted) by other applications writing a new PIN to a YubiKey.
Related
I was wondering if there is any material improvement/difference in BLE security controls/requirements in BLE 5.0 spec as compared to BLE 4.2 spec. Could you advise? I skimmed through the BLE bits in the huge Bluetooth 5.0 core spec but that didn't help.
I am aware that there are significant security improvements in BLE 4.2 vs its predecessors BLE 4.0/4.1.
Any pointers will be much appreciated.
Thanks
Rick
By comparing the Security Manager chapter (which defines the BLE pairing/bonding) in the Core specification of version 4.2 and 5, there are basically no changes at all except editorial ones.
The only feature difference is one in the algorithm to convert an LE LTK to/from a BR/EDR Link Key. The change here is one intermediate step that takes the key as input and generates an intermediate key using AES-CMAC with a fixed salt. Previously the LTK/Link Key was the key and the salt was the message (to AES-CMAC) while now the salt is the key and the LTK/Link Key is the message. This change is probably to make sure the stored key is not used for different purposes, which otherwise could be a security issue.
I was wondering if it is possible to modify the contents of a BLE beacon to include extra information. If you insert an extra bit at the end you could potentially broadcast a boolean in one direction. Theoretically, if you modified your device to read the extra bit of information this would work. Given existing protocols though it sounds like this would be a lot of work. Is there something out there like this already?
For info, I'm working on the mbed platform where you can modify your own bluetooth beacon payload.
Yes, you can do this with the new AltBeacon specification. There is a one byte manufacturer reserved field which you can use for whatever you want (tied to your manufacturer ID).
There are reference implementations of the specification available for Linux to show you how it works, and there is no reason you cannot implement it on the mbed platform.
My embedded linux gets its data files from an external source (sd card). As this media is easily detachable I'd like to protect it in a certain way.
First idea that comes in mind is to do encryption. I'm afraid though this would take too much processing power. My files are not deeply sensitive, but I don't want that people can put the card into their desktop and see/copy my files. I assume these people know how to mount a standard ext4 drive.
Content is initially loaded on to the disk via a desktop linux box, so the process should be
I wouldn't care too much if the solution is not hack-proof. Basically I want to avoid to have my content copied by the general copycat.
I'm not looking for a turn-key solution, but like to get some pointers into the right direction.
A simple XOR Cipher requires very little processing. The security is limited in the sense that if someone has a both the encrypted and plain-text data, by XOR'ing the two the encryption key is revealed. However so long as you can avoid someone being knowingly in possession of both, and the key itself remains confidential, it may meet your requirements of simplicity and security.
Obviously you need a longer key that the simple 8 bit one in the example in the link. The key itself can be arbitrarily long with no impact on performance.
I'm trying to do an experiment to see how different supply voltages affect the frequency of ring oscillator and the reliability of SRAM cells. I have access to a couple of Xilinx Virtex-5 boards, namely, ML501, ML506, and ML510. I have tried to search the web, but so far I haven't found anything useful. I have some experiences with FPGA design, but I have never tried to change the supply voltage before. So I'm really clueless on how to start. Can someone (who have done similar projects) please tell me how to vary the supply voltage of those FPGA boards?
I don't think you can easily change the power on those boards. They are using small power bricks with pre-defined power, so it will not be an easy task to change them, unless if you remove them and replace them with external power.
But, you have to be careful, you must make sure that all the power is stable and correct before the FPGA is loaded, otherwise you may damage your (expensive) FPGAs.
Are there programmable barcode readers which I can put program in it. With that program I can tell the reader what are the valid codes. So the reader will refuse to read invalid codes.
Or, with that program, I can encrypt the codes it read.
And, can I use Java to make the program?
There are various types of bar code readers from hand held scanners to counter top scanners to scanner attachments for mobile computers. Most use a USB connection though some use a Serial Port connection. Some are attached to a portable device such as a tablet and some such as a hand held scanner are plugged in. Some hand held bar code readers can also be used as a standing scanner which stands on the counter and do not have to be held.
The two major types of bar codes that I have seen are the standard bar code with the vertical lines of varying widths - see also bar code types from GS1.org - and the QR code from Denso Wave. Commercial point of sale scanners such as counter top or hand held scanners are designed for standard bar code with some also offering the ability to read QR codes. However not all hand held scanners can read QR codes.
Normally the bar code reader will scan the bar code and generate a text string which is then processed by some other device such as a point of sale terminal. I have not seen a bar code scanner that will allow a Java program or similar programatic changes. However there are kiosk type or small devices with a built in scanner which are programmable. See this selection from Symbol.
Bar code readers with a USB connection typically have two ways to configure the drivers, as a HID type of USB device or as a wedge keyboard type of device. The wedge keyboard type of device is usually easier to interface to because it is the same as just reading text from keyboard entry. When using wedge keyboard type of interface, you will typically program the bar code scanner to generate a guard character so that when that character comes into your application you know that it is text generated by the bar code scanner and not from someone typing.
Some types of scanners will have an OLE for Retail POS OPOS Service Object that can be used with an OPOS Control Object. This approach provides device independence for your software since you would write your application to use the OPOS Control Object interface which solves a number of interface issues such as talking to the device using the HID USB interface. However OPOS is a COM type of interface which may be difficult with the Java programming language. Search for information on UnifiedPOS to find your way to the latest standards.
Hand held scanners will have factory settings out of the box and these settings may not be suitable for your application. The hand held scanners I have used can be programmed and their settings changed by a procedure in which special scan codes are scanned in a particular sequence. Normally the user manual for the particular scanner will have an appendix or two with the documentation as to what settings can be changed, the procedure or steps to use to make changes, and the bar codes to be scanned for the procedure steps. You will probably need to search the manufacturer's web site for the appropriate manual.
For instance the Motorola LS2208 Product Reference Guide contains various sections on setting up that hand held scanner for various environments and scanner applications. The following screen shot from a page of the guide shows the bar codes used to set up the device for USB interface.
Another option would be to have an application on a phone that uses a phone camera as the bar code scanner. However it appears that most cameras are not good for standard bar codes.
Most scanners for retail systems are fairly complex with lasers for the actual scanning. I have used several different types with point of sale application and they are all fairly easy to use. You can change the settings by entering commands using a set of bar codes which are part of the documentation. These settings are for such things as bar code symbology, prefix characters, suffix characters (prefix and suffix characters are used with wedge keyboard type of interface).
See this forum discussion on using a camera for standard bar codes.
See also this web page on Android bar code scanning.