YubiSecure? Formal Security Analysis Results for the Yubikey and YubiHSM

  • Robert Künnemann
  • Graham Steel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7783)


The Yubikey is a small hardware device designed to authenticate a user against network-based services. Despite its widespread adoption (over a million devices have been shipped by Yubico to more than 20 000 customers including Google and Microsoft), the Yubikey protocols have received relatively little security analysis in the academic literature. In the first part of this paper, we give a formal model for the operation of the Yubikey one-time password (OTP) protocol. We prove security properties of the protocol for an unbounded number of fresh OTPs using a protocol analysis tool, tamarin.

In the second part of the paper, we analyze the security of the protocol with respect to an adversary that has temporary access to the authentication server. To address this scenario, Yubico offers a small Hardware Security Module (HSM) called the YubiHSM, intended to protect keys even in the event of server compromise. We show if the same YubiHSM configuration is used both to set up Yubikeys and run the authentication protocol, then there is inevitably an attack that leaks all of the keys to the attacker. Our discovery of this attack lead to a Yubico security advisory in February 2012. For the case where separate servers are used for the two tasks, we give a configuration for which we can show using the same verification tool that if an adversary that can compromise the server running the Yubikey-protocol, but not the server used to set up new Yubikeys, then he cannot obtain the keys used to produce one-time passwords.


Key management Security APIs Yubikey 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes. Technical Report UCAM-CL-TR-817, University of Cambridge, Computer Laboratory (March 2012); Shorter version appears in Proceedings of IEEE Symposium on Security and Privacy (2012)Google Scholar
  2. 2.
    Yubico AB: Yubico customer list,
  3. 3.
    Yubico AB: Yubikey security evaluation: Discussion of security properties and best practices v2.0. (September 2009),
  4. 4.
    Björck, F.: Yubikey security weaknesses. On Security DJ Blog (February 2009),
  5. 5.
    Björck, F.: Increased security for yubikey. On Security DJ Blog (August 2009),
  6. 6.
    Vamanu, L.: Formal analysis of Yubikey. Master’s thesis, École normale supérieure de Cachan (August 2011),
  7. 7.
    Schmidt, B., Meier, S., Cremers, C.J.F., Basin, D.A.: Automated analysis of diffie-hellman protocols and advanced security properties. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium, CSF 2012, pp. 78–94 (2012)Google Scholar
  8. 8.
    Kaminsky, D.: On the RSA SecurID compromise (June 2011),
  9. 9.
    Yubico Inc.: Yubihsm 1.0 security advisory 2012-01 (February 2012) (published online),
  10. 10.
    Yubico AB Kungsgatan 37, 111 56 Stockholm Sweden: The YubiKey Manual - Usage, configuration and introduction of basic concepts (Version 2.2) (June 2010),
  11. 11.
    Yubico AB Kungsgatan 37, 111 56 Stockholm Sweden: YubiKey Authentication Module Design Guide and Best Practices (Version 1.0),
  12. 12.
    Kamikaze28, et al.: Specification of the Yubikey operation in the Yubico wiki (June 2012),
  13. 13.
    The yubikey-val-server-php project: Validation protocol version 2.0. (October 2011),
  14. 14.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Heintze, N., Clarke, E. (eds.) Proceedings of the Workshop on Formal Methods and Security Protocols — FMSP, Trento, Italy (1999), Electronic proceedings,
  15. 15.
    Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363–434 (2009)Google Scholar
  16. 16.
    Arapinis, M., Ritter, E., Ryan, M.D.: Statverif: Verification of stateful processes. In: CSF, pp. 33–47. IEEE Computer Society (2011)Google Scholar
  17. 17.
    Mödersheim, S.: Abstraction by set-membership: verifying security protocols and web services with databases. In: [25], pp. 351–360Google Scholar
  18. 18.
    Guttman, J.D.: State and progress in strand spaces: Proving fair exchange. J. Autom. Reasoning 48(2), 159–195 (2012)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Yubico AB Kungsgatan 37, 111 56 Stockholm Sweden: Yubico YubiHSM - Cryptographic Hardware Security Module (Version 1.0) (September 2011),
  20. 20.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). RFC 3610 (Informational) (September 2003)Google Scholar
  21. 21.
    Yubico AB Kungsgatan 37, 111 56 Stockholm Sweden: Yubicloud Validation Service - (Version 1.1) (May 2012),
  22. 22.
    Habets, T.: Yubihsm login helper program,
  23. 23.
    Rogaway, P., Shrimpton, T.: Deterministic authenticated encryption: A provable-security treatment of the keywrap problem (2006)Google Scholar
  24. 24.
    Meier, S., Cremers, C.J.F., Basin, D.A.: Strong invariants for the efficient construction of machine-checked protocol security proofs. In: [25], pp. 231–245Google Scholar
  25. 25.
    Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8. ACM (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Robert Künnemann
    • 1
    • 2
  • Graham Steel
    • 2
  1. 1.LSV & INRIA Saclay – Île-de-FranceFrance
  2. 2.INRIA Project ProSecCoParisFrance

Personalised recommendations