Re: [qubes-users] Use YubiKey for Anti-Evil-Maid?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-12 12:07, Eric wrote:
> Is there any way to use a YubiKey for Anti-Evil-Maid, instead of just a 
> regular USB flash drive?

AFAIK, yes, but I haven't personally tried it, since I don't own a YubiKey.

> I imagine (though I will be the first to say that I don't know), that the 
> firmware on it is much less resistant to compromise/BadUSB attacks, and since 
> it crypto something something, it seems a natural fit.
> 

There are, indeed, security considerations regarding the choice of medium for 
an AEM drive. Take a look at this issue:

https://github.com/QubesOS/qubes-issues/issues/1980

And this associated discussion thread:

https://groups.google.com/d/topic/qubes-users/I5clx1E-S9M/discussion

> Of course, I haven't seen the code for AEM,

Why "of course"? The source code is freely available for all to see:

https://github.com/QubesOS/qubes-antievilmaid

> and I know that it's a program instead of just a keyfile. Is there any 
> possibility of two factor authentication for anti-evil-maid? IE, passphrase 
> and a YubiKey?
> 

Well, there's been some work done on using a YubiKey as a second factor for 
logging in to Qubes, but it's for the lock screen, not for AEM:

https://www.qubes-os.org/doc/yubi-key/

I'm not sure if it'd be possible to do with AEM, since that prompt is so early 
in the boot process.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYJ6NoAAoJENtN07w5UDAwihQP/1MF4QStLEXh2WaTQ9rWaICC
ytB/kpujfvGvATB23/OkQ3qGElziBVQ308FYWXIs2HGHSteJPeH2Wx0EYpWjUgtf
6GgkVMjcQRFmIzbl29ZvcftrF1YhdV6HRHy+/DmdEAwfGu6sl4FHnoUV0/R2EaSf
AhbUpM4u0Y5G9ecqUz/lOVlvnKbX5UBuwE6gDPNEdMgHq6rVU28TsSw581UHxi/c
RmBEagnoZfYutVLNYTGOM/wDUgGAUDsZprD0DYurFdwWp4Mut2SQYqOFRcEucpdX
Cympsp8mzQf19LLgmjrYEALMbO+HL7XYa6mly1eWoPErWgJpMWpP3D1W3y1wYVm3
On6wB3rDZnCxoQUls9jgdQjyS9QI4Fu4d0UZD6EkO+K5XR8cdwrnl/1nkJGq6nK6
kio5gp2DiNz2WMbpzKh7HHGh5qPD14xHuLRxHzPw/pp0xCcKF/WBAo9NhXheh6sl
mBHAlEMdlc0nB5M8YjcAfaluCEsNz7mA+fEBGKV28UNJsGyUub0wY6LbQVXGBxSx
6bjvVWr9QE12RuqmV9NPOilFGmznmJ7Ml9zwnkOd2cgBuGSIjF2Skp9ag/Pv+cOY
bulkrJnb8+8Wdvt5d7H9wXvjYOum9OeY7rhIYmKpXtLK8D4YjL2sOuS0vJ3aH+Mx
xmqQWHd5VjaFE1lWL+21
=AsT6
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22e0f325-f64f-598d-e2c2-5c1dbc580584%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Use YubiKey for Anti-Evil-Maid?

[Eric]

Is there any way to use a YubiKey for Anti-Evil-Maid, instead of just a regular 
USB flash drive? I imagine (though I will be the first to say that I don't 
know), that the firmware on it is much less resistant to compromise/BadUSB 
attacks, and since it crypto something something, it seems a natural fit.

Of course, I haven't seen the code for AEM, and I know that it's a program 
instead of just a keyfile. Is there any possibility of two factor 
authentication for anti-evil-maid? IE, passphrase and a YubiKey?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55d6fca4-e86f-45ae-9cce-5408829a4c0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.