yubikerb - grab kerberos tickets using the yubikey
==================================================

yubikerb is a tool for using the yubikey for kerberos authentication.

Loose design
------------

Kerberos encrypts the ticket using the password of the principal
requesting the ticket.  Since we are not using a static password and
because of the special properties of the yubikey, the won't know what
our next password is going to be.  Even allowing for just five seconds
of window would mean we would have to download an encrypted message
2.5 million times as big as the secret.  This is obviously
impractical.

In fact, we do not have any shared secret at all, but we can
synthesize one by having the yubikey generate two keys: the first one
is secret, the other one is not.  Using the former as a key, we
encrypt the string "YUBIKERB" followed by a random 16 byte string to
be used as a key (K1), using AES or similar.  Assuming up to 30
seconds between the keys being generated, that leaves us with finding
the first OTP in about 4 seconds (tested on my laptop, a 1.6 GHz Core
2 Duo running at 800MHz).  Five seconds between the keypresses mean
something closer to half a second, which should be acceptable.

The second OTP gives us authentication, so we now have an
authenticated shared secret (K1).  The server side component requests
a ticket (or just generates it directly, if we integrate this properly
with eg. heimdal), decrypts this if needed (using the stored password
of the user), then encrypts it to the key K1.  The client decrypts the
ticket and now has a bona-fide Kerberos ticket.

Attacks
-------

We assume that AES is not vulnerable to a known-cleartext attack. We
also assume the Yubikey is implemented without flaws.

If the password store on the server side is compromised, the whole
thing falls apart.  We should look at integrating this properly with
Heimdal or a similar KDC to avoid having to store even more cleartext
tokens.