Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User-presence support #23

Open
jas4711 opened this issue Dec 3, 2014 · 3 comments
Open

User-presence support #23

jas4711 opened this issue Dec 3, 2014 · 3 comments
Labels
enhancement

Comments

@jas4711
Copy link
Contributor

jas4711 commented Dec 3, 2014

It would be nice if it was possible to configure the NEO to demand a user presence check before performing a private key operation. You would probably configure this using some ad-hoc way, specifying the key slot to demand user presence for.
@mitchell-es
Copy link

I second this. I have mine in mode CCID-only and I find the interactivity with the touch sensor promising. What would be ideal to me would be that the key would flash when there was a signing request and would not perform the request until the key had been tapped. I use the key to perform SSH authentications and this would help mitigate the risk of somebody connecting to a remote ssh-agent connection and logging in places without my knowledge. I've looked through the source code in this repository but I haven't been able to locate the code which interacts with the led and sensor on the yubikey. Is that code part of this module or is it elsewhere?

@promovicz
Copy link

I believe that the code for this must be elsewhere since I can not imagine there being a way to access the button or LED from JavaCard by any standard means.

My guess would be that the code for this is native code on the security processor, which will probably be restricted by NDA.

It might be possible for Yubico to provide a JavaCard API that allows implementing this, however.

@stv0g
Copy link

stv0g commented Aug 6, 2015

I wish there is a way to accomplish this. 👍
This would be a reason to replace my existing YK neo.

But as far as I know, all the other open source JavaCard applets do not interact with the LED and touch button?
But, maybe it's possible to access routines for accessing the hardware from the proprietary YKneo applet?

I found the following details on the Yubico forums:

  1. If availability of and applet equals the USB HID capability, do you have unadvertised access to the button from JavaCard environment (or you use the javacard chip from the overall device controller? Basically, how it works.)

In mode 1 and 2 (not 81 and 82) an applet can access the state of the touch button, but it requires JCOP tools from NXP. The state of the button can be found with an operation like: IOControlX.getIO(IOControlX.IOID_P3)
It's a two-chip design with another chip driving the USB interface and the touch button.

Source: http://forum.yubico.com/viewtopic.php?f=26&t=1299&sid=b35c719d3ad83ab5707583097766586f#p4873

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
4 participants
@promovicz @stv0g @jas4711 @mitchell-es