2016-09-18

YubiKeys demystified

When I saw the Bloodhound Developer use his YubiKey at Black Hat to access Github (in front of hundreds of people), I knew then I had to get a YubiKey of my own!

This article documents some of the initial “hands-on” experience – with accompanying comments and conclusions.

What is a YubiKey anyway?

Simply stated, a YubiKey is a hardware token used for “Two-Factor Authentication” (“2FA”).
However, hiding behind this rather mundane description is a simply marvelous piece of technology.

Basic Technologies[1]

The Wikipedia article sums it up well:
“The YubiKey is a hardware authentication device … that supports
  • one-time passwords, public key encryption and authentication,
  • and the Universal 2nd Factor (U2F) protocol …
It allows users to securely log in to their accounts by:
  • emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.
  • YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords….
Facebook uses YubiKey for employee credentials,… and Google supports it for both employees and users.”
The devices implement:
  • the HMAC-based One-time Password Algorithm (HOTP) and
  • the Time-based One-time Password Algorithm (TOTP), and
  • emulation to identify themselves as a keyboard that delivers the one-time password over the USB HID protocol.
The NEO and NEO-n devices also implement:
  • OpenPGP card protocol using 2048-bit RSA keys. This allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.
The NEO device also has
  • NFC support.
The 4th generation YubiKey … includes support for:
  • OpenPGP with 4096-bit RSA keys, and
  • PKCS#11 support for PIV smart cards, a feature that allows for code signing of Docker images.
Wow.
When the YubiKey is first inserted into the USB, it:
“Identifies as a USB keyboard, smart card, and smart card reader – no client software or drivers need to be installed, no batteries, no moving parts.”

Here’s what the keys look like (courtesy Wikipedia op cit):

And here is a screen shot just after driver initialization showing the different devices:
2016-09-06_13-35-44-yubikey-neo.png
Note that full vendor documentation is here: https://www.yubico.com/support/documentation/ 

Key storage

The YubiKey offers the following credential storage – all at the same time on the same device:
“ two symmetric key “slots” that you can configure to store credentials, such as one for Yubico OTP (default in slot 1) and one for OATH-HOTP.
You can configure the same YubiKey as:
  • a smart card (PIV-compatible) and program the YubiKey for touch-to sign code signing with Docker.
You can store:
  • up to 32 OATH credentials (TOTP or HOTP) on the YubiKey 4 and access them using the Yubico Authenticator application.
In addition, you can have:
  • an unlimited number of U2F credentials – these include Gmail plus other Google apps, GitHub, Dashlane, and Dropbox, and more.”
The following diagram from the YubiKey 4 data sheet (op cit) shows this:

Different devices

The YubiKey 4 family includes the following devices:
  • YubiKey 4: The basic “workhouse” token supporting up to 4096-bit RSA Keys. Usable for Docker code signing
  • YubiKey Neo: Supports Android NFC but only supports up to 2048-bit RSA keys
  • YubiKey 4 Nano: Identical to the YubiKey 4 but with smaller form factor designed to fit into a USB slot.

The hands-on testing for this article was done with a YubiKey Neo.

No “free” lunches: Security “lock-down”

Yubico certainly took a cautious, conservative stance in the basic design of their technology. (The word “paranoid” comes to mind.)

Two important concepts to note:
  • No firmware upgrades: Yubico has a policy that no token gets firmware upgrades. New firmware is released on the next generation of tokens. However all new firmware is strictly backwards compatible with everything that went before.
  • Write-only: The YubiKey is a write-only device. No credentials or key material can ever be read out from the device.
For more information, see here as well as The YubiKey Manual.

Functional overview

The following sections give a quick overview of important YubiKey function.

Legacy “2-slot” operation

The following material is for comprehension / context only.
In testing, none of the following function was actually used.

The original YubiKeys had only 2 programmable slots. The following description of basic OTP (“One-time Password”) generation is described in The YubiKey Manual / Usage, configuration and introduction of basic concepts:
The YubiKey comprises an integrated touch-button that triggers the OTPgeneration.
Generated OTPs are sent as emulated keystrokes via the keyboard input path, thereby allowing the OTPs to be received by any text input field or command prompt.
… the basic OTP generation scheme can be conceptually described as:
1. The YubiKey is inserted into the USB port. The computer detects it as an external USB HID keyboard
2. The user touches the YubiKey OTP generation button
3. Internally, a byte string is formed by concatenation of various internally stored and calculated fields, including as a non-volatile counter, a timer and a random number.
4. The byte string is encrypted with a 128-bit AES key
5. The encrypted string is converted to a series of characters that are outputted as keystrokes via the keyboard port
This can be demonstrated simply.
  • Insert a YubiKey into a USB slot.
  • Give focus to a text editor such as Notepad.
  • Touch the key.
  • Sequences of random numbers will appear in the text editor.

In practice each of the two “slots” in the YubiKey can be programmed individually in one of the following modes:
  • OATH-HOTP mode
  • Each time the key is pressed, the counter increments and a new passcode is generated.
  • Challenge-Response
  • Either Yubico OTP mode or HMAC-SHA1 mode
  • API access only
  • Can be programmed to send a response only when the key is pressed.
  • Static Password

When both “slots” are programmed, then a “short” press (0.3 – 1.5 sec) generates a OTP from slot 1. A “long” press (2.5 – 5 sec) generates a OTP from slot 2.

YubiCloud Validation Service

Note: None of the functions tested required the following service.

As delivered, the YubiKey “slot 1” is programmed by Yubico for operation with the YubiCloud OTP Validation Service. This is a Cloud-based SAAS for basic OTP validation (to avoid having to deploy one’s own validation servers).

HOTP vs TOTP: Time-generated passcodes are better

The YubiKey is essentially event-driven. A finger touch bumps an OTP counter (eg OATH-HOTP) to cause the next passcode to be generated and output.

This is in contrast to the Google Authenticator-style of passcode generation. In OATH-TOTP, a new passcode is generated (typically) every 30 sec.

The YubiKey has no battery. Its built-in clock only runs when power is supplied through the USB port.

To generate OATH-TOTP passcodes, helper code needs to run on the host computer. In this mode, the YubiKey serves as a credential store only.

However even Yubico recommends TOTP over HOTP! The following is from the Yubico Authenticator User's Guide:
A TOTP password has a shorter lifespan than an HOTP password, which may be valid for an unknown amount of time (or until your next login).
A TOTP password requires less maintenance than an HOTP password but the time between the device and the server needs to be synchronized. HOTP passwords require more maintenance but no synchronization.
TOTP is the more secure one-time password solution.
It is important to understand the maintenance required by OATH-HOTP.
  • If the event counter is out of sync with the server, passcodes are rejected.
  • Typically, the server-side application will provide a special “synchronization” mode with a window-size of 50 or more. If 2-3 user-supplied consecutive passcodes fall within the window, the server adjusts its counter to the new value.

In OATH-TOTP there is no such requirement. Lack of synchronization due to “timer drift” is typically handled transparently by network time synchronization.
Because of the ongoing maintenance required (end-user self-service “hassle” or administrator overhead), OATH-HOTP should be avoided whenever possible.

The YubiKey 4 to the rescue: Significant new function

Yubico had a significant technological challenge on their hands. The world was going to OATH-TOTP because of ease of use, and their native AuthN technology was the user-unfriendly event-driven HOTP.

Yubico’s answer was the YubiKey 4 generation technology.

With the YubiKey 4, Yubico added significant new function to their token technology to reflect current trends.[2]

Basic modes of operation

There are 3 basic modes of operation. The NEO Manager tool is used to configure which modes are currently operational.

The default configuration is “All modes active”. Each of the 3 modes can coexist and function simultaneously with the other modes.

The three modes are:
  • OTP mode: Legacy YubiKey functions available with the two programmable configuration slots
  • CCID mode: smart card elements including OpenPGP, PIV, and YubiOATH applets. YubiOATH applet is used to store OATH-TOTP and OATH-HOTP credentials that can be accessed through Yubico Authenticator.
  • U2F mode: Universal 2nd Factor (U2F) functionality.
In terms of the host computer, the Yubikey emulates 3 different devices:
  • HID Keyboard
  • CCID Smart Card
  • FIDO U2F HID Device.

Supported Authentication protocols

Each mode has its associated AuthN protocols:
  • OTP mode:  Legacy Yubico “slot” protocols including:
  • Yubico OTP (programmed by Yubico in Configuration Slot 1 by default)
  • OATH-HOTP
  • Challenge-Response
  • Static Password
  • CCID modeUSB CCID compliant Smartcard interface supporting:
  • OATH-TOTP, OATH-HOTP: This mode has storage for up to 32 OAUTH-HOTP and OATH-TOTP credentials.
  • OpenPGP key pairs.
  • JavaCard 3.0 / JCOP 2.4.2 R1 execution environment: OpenPGP
  • Identity card standards
  • PIV[3]: The key can act as a smart card with RSA / ECC certificate from a Windows CA for smart card login to Windows OS.[4]
  • Mifare Classic emulation for proximity cared readers[5]
  • U2F mode:
  • FIDO Universal 2nd Factor U2F support
  • Unlimited number of credentials.

Neo key

The “Neo” key is similar to the Yubikey 4 and Nano 4. However there are slight differences.

The Neo key has additional function for  NFC communication with Android mobile devices:
  • Near Field Communication (NFC) interface allowing contact-less data exchange in NFC- and RFID environments
  • ISO14443A RFID/NFC interface
  • NDEF applet installed for interaction with YubiKey functionality.[6]
However Neo's additional function comes at a price:
  • A maximum of approximately 28 OATH-HOTP / OATH-TOTP can be stored on the key. The regular keys can store 32 OATH credentials.

  • The Neo only supports public certificates as follows: maximum size RSA 2048, ECC p256. The regular keys support RSA 4096 / ECC p384.

CCID mode: smart card support

The Nov 2014 lvm.net article Smartcard features on the YubiKey NEO gives a good overview of the smart card function on the YubiKey 4 / 4 Nano / Neo:

The [new YubiKey] includes a Common Criteria–certified JavaCard secure element, which can be loaded with several JavaCard applets. ... In order, these applets are the basic NEO OTP functionality, the NFC data-exchange functionality, an OpenPGP applet, a Personal Identity Verification (PIV) applet, and the HOTP/TOTP OATH applet.

According to the Yubico documentation YubiKey PIV Support, the Neo has 4 PIV certificate slots whereas the YubiKey 4 / 4n has 24. As specified in the PIV standard, the slots have different functions: (login) PIV AuthN, Digital Signature, (Encryption) Key Management, and (Physical access) Card AuthN. 

The U2F Authentication protocol

Before diving into the test results, a quick look at the U2F Authentication protocol would be useful.

Background

From Wikipedia:[7]
Universal 2nd Factor (U2F) is an open authentication standard … [for] two-factor authentication using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP, the standard is now hosted by the FIDO Alliance.
The standard was developed in late 2014 but there apparently is considerable resistance to widespread adoption:

  • Firefox / IE: Microsoft / Mozilla browsers still do not natively support U2F.

  • Major web sites with proprietary 2FA: Most major web sites provide their own (often “clunky”) approaches to multi-factor AuthN (e.g. 2FA codes sent by SMS). Apparently these sites do not want to invest in U2F.  This includes “almost everyone”: e.g. Facebook, PayPal, Amazon, and LinkedIn.
Possibly the lack of support is due to partner mistrust of the “800-pound gorilla” Google’s standard. Or perhaps there is a perception that U2F is somehow limited to hardware tokens only.

Overview[8]

Basic protocol flow

The U2F protocol is elegant in its simplicity. U2F is a simple challenge-response protocol:
  • The U2F device registers by sending its U2F public key (kpub) to the Relying Party (“RP” – typically a web site).
  • To authenticate accesses, the RP sends a challenge to the U2F device.
  • The U2F signs the challenge with its private key (kpriv).
  • The web server RP looks up the corresponding public key (kpub) to verify the response.
The following diagram shows this basic interaction:

Mitigating well-known attack vectors

Various extensions to the basic protocol are defined to mitigate various attack vectors. The result is a lightweight, robust 2FA protocol:

Attack vector
Mitigation
Phishing
Client adds Origin URI and sends this along in the response packet. The RP verifies that the information is correct.
MITM
Client adds the TLS Channel ID (if supported) to the response.
Prevent RP from tracking devices between user accounts
U2F device generates a new application-specific key pair / key handle for each new registration.
The RP stores the handle and sends it with the challenge.
The device then knows whether to authenticate with User1’s key or User2’s key (if device is shared by User1 and User2)
Device cloning
The YubiKey is tamper-resistant.
To protect software-based implementations, the U2F device increments a counter and adds this to the response. The RP checks that the

Security robustness

Just how solid is the protocol?

Two researchers presented a recent paper (SSTIC 2016) that analyzed the robustness of the U2F protocol to various attacks:
This paper draws a picture of the security brought by U2F and ultimately compares the protocol with some 2FA schemes: Short Message System (SMS) codes, Time-based One-Time Password (TOTP) and TLS client authentication using certificates.
… our study tends to confirm that the security features offered by the U2F protocol are superior to the security brought by many SMS-based and TOTP-based second-factor solutions. This feat comes from the use of hardware secure elements, a phishing-resistant approach, the use of strong public key cryptography and an authentication scheme with distinct public keys per website
... At a theoretical level, the web part of the U2F protocol seems sound.
… Overall, the U2F protocol seems like a viable second-factor authentication scheme with phishing-resistant properties. Its ease of use and privacy features further promotes it for a wide web deployment. Even so, at the time of writing, our comparison of U2F with the TLS authentication scheme relying on client certificates indicates that the latter should be used in environment with the most stringent security requirements.
In a nutshell, U2F appears to be reasonably solid, is easy to use, and is better than SMS or OATH-TOTP.

Client-side certificates are likely more robust (at the cost of significant operational overhead).

The Software

Unfortunately Yubico’s software is not as stellar as their hardware. This section summarizes the tools they provide.

The Yubico Authenticator

Purpose

The Yubico Authenticator is essentially a drop-in replacement for Google Authenticator – with the following differences:
  • The Yubico Authenticator runs anywhere:
  • pre-compiled binaries for Windows, OS X, and Android
  • custom PPA for Ubuntu
  • The python code can also be installed using pip.
  • The credentials are stored – you guessed it – on the YubiKey.
  • Sadly, the GUI interface is not very user-friendly.
From the Yubico Developers’ Documentation:[9]
The Yubico Authenticator is a graphical desktop tool and command line tool for generating Open AuTHentication (OATH) event-based HOTP and time-based TOTP one-time password codes, with the help of a YubiKey that protects the shared secrets.
Essentially, the Yubico Authenticator is the functional “glue” that exposes much of the YubiKey function to the end user:
Usage of this software requires a compatible YubiKey device. Yubico Authenticator is capable of provisioning and using both slot-based credentials (compatible with any YubiKey that supports OTP) as well as the more powerful standalone OATH functionality of the YubiKey NEO.

Adding new credentials

To the end user, the Yubico Authenticator appears as a somewhat awkward “drop-in” replacement for Google Authenticator.

To enter a new TOTP credential, “File → Add” presents the user with the following screen:

If one is lucky, clicking “Scan a QR code” will actually work and the TOTP secret will be automatically captured and stored on the YubiKey.

In not, then the raw OATH-TOTP Base32 has to be calculated and entered manually. This will be discussed in greater detail in a following section.

Entering an HOTP credential is quite similar. The counter is set to 0 when the credential is created.

Using a credential stored on the YubiKey

When the Authenticator is started, no credentials are available:

When the YubiKey is inserted in the USB slot, the Authenticator accesses the names of the credentials stored in the token:


As already mentioned, Yubico’s secure design philosophy dictates that:
  • No credentials can be read from the key.
  • Once a credential is stored on the key, it cannot be changed.
To obtain a passcode, the user clicks on the corresponding icon (the small “clipboard” to the right of each credential). Clicking once obtains a passcode. Double-clicking obtains a passcode and minimizes the application.

Awkward user interface

This GUI application proved to be somewhat awkward to use.

If an icon is double-clicked by error (instead of a single click), the application mysteriously disappears.

Since the token is “write-only”, credentials have to be deleted and re-provisioned to be updated. This in itself is difficult at first.

The “delete” function is hidden away. The user has to right-click the credential to be deleted and a “delete” pop-up suddenly appears.


Worst of all however is the procedure for manual entry of secrets. Unfortunately, on a Windows PC at least the “QR scan” function works only intermittently. This means that the user has to manually enter secrets. This is not an easy task.

Manual entry of secrets

The Authenticator requires that secrets be entered in Base32 format only.[10]
Normally secrets are presented in Google Authenticator format:

To convert to OATH-XXXX compatible base32 format, first the spaces must be removed. Next everything is converted to uppercase. Finally the base32 encoding is done.

The following shows this in Python:

>>> import base64
>>> s = "j2k c2d r3d 72k xxy w"
>>> mystr = s.replace(" ","").upper()
>>> mystr
'J2KC2DR3D72KXXYW'
>>> base64.b32encode(mystr)
'JIZEWQZSIRJDGRBXGJFVQWCZK4======'
The highlighted string after the encoding is what Authenticator expects to receive.

If the secret is presented in hex format, then the following Python code can be used:

import base64
my_bytes = bytearray.fromhex("8ec3521adf9393f09c6842ae0094e21")
base64.b32encode(my_bytes)
Result is:
'R3BVEGW7SOJ7BHDIIKXABFHCC4======'

NFC support

The Yubico Authenticator supports Android NFC communication when used with the new YubiKey Neo.

The manual[11] gives the following cautions:
Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its own antenna, the YubiKey NEO needs to be very close to the NFC antenna of the device. If you are unsure where the NFC antenna is located on your mobile device, review the specifications on the manufacturer’s website.
The technology actually works reasonably well if the phone is adequately charged.

The first few tries were awkward. Yubico Authenticator beeped and moaned strangely as I hunted for the phone’s NFC “sweet spot”. With some practice, it was possible to activate Authenticator using NFC through the phone’s protective cover.

The manual also says that Android Beam should be turned off. This is probably a wise thing to do in any case.

Maintenance Tools

Yubico provides several small programs to configure the YubiKeys.

During functional testing, the default configuration of the YubiKey 4 / Nano / Neo seemed to work just fine. These tools apparently would be necessary for custom configurations / commercial bulk deployments and other specialized use cases.

Neo Manager

The Neo Manager tool actually is for the entire generation of YubiKeys: YubiKey NEO, YubiKey NEO-n, YubiKey 4, and YubiKey 4 Nano.

All this program does is switch operating modes on the various keys.

The three operating modes are:[12]
  • OTP (the two configuration slots)
  • U2F
  • CCID (smart card functionality used with Yubico Authenticator, PIV, OpenPGP)
The default configuration has all 3 modes enabled.

With the tool, any combination of the modes to be configured by clicking checkboxes:

Not much but that’s all.

YubiKey Personalization Tool

This tool exposes all internal functional parameters of the YubiKey for provisioning custom configurations.

Yubico proudly calls the tool “The Swiss Army Knife for the YubiKey”.

For normal use cases, the default YubiKey configuration should work without requiring tweaking. A lot of the complexity of the tool addresses legacy function with little current relevance.

If you do feel a need to use the tool, be sure to read the 48 page manual first.[13]

The screenshots that follow give a quick idea of the complex tool functions. First is the tool’s home page:

The "busy" page for configuring a slot in OATH-HOTP mode gives a view of the underlying complexity:

PIV-related Tools

There are also tools related to smart card function. Due to lack of time, none of this function was tested. The Windows tools with graphical user interface appear to be oriented towards Windows smart card support including bulk deployment.

At time of writing, probably what probably is the most important manual had a broken link (!). The manual can be found here: YubiKey PIV Deployment Guide

There is also a command line tool for basic parameter configuration including management and card PINs. 

Functional Testing Results

The previous sections gave a brief overview of the Yubico technology. The accompanying software tools were briefly described.

This section continues with a quick discussion of results obtained during "hands-on" exploration of some of the main YubiKey function.

Great integration but sometimes complex and confusing

Given the flexibility of Yubico’s technology, it is not surprising to discover that the YubiKey integrates well with a significant number of different technologies. A wide variety of use cases are supported.

The downside is that the integrations are somewhat complex and confusing, at least initially. This is due to the following reasons:

  • Security First and Foremost: Yubico has a “no compromise” attitude to security. Their token is designed for use in high-security applications. The tradeoff is increased complexity and lack of conviviality for end-users.
  • No Technology “sunset”: Yubico never “sunsets” their technologies. People do not have to buy new keys to keep vendor support. Anything that ever worked, will still work. Over the years, the layers of technology function have accumulated to form a somewhat complex set of interacting function.
  • Historical legacy: Yubico has been a key player in the token market for a number of years. Integrations over the years vary in approach as new generations of tokens incorporate additional function. The result is that everyone seems to have their own special way of integrating YubiKeys
The following sections look quickly at various integrations with leading vendors.

KeePass[14]

Dominik Reichl, the author of KeePass, provides a plugin for OATH-HOTP:
http://keepass.info/plugins.html#otpkeyprov

The OATH-HOTP secret key is stored in the second slot of the YubiKey.

Simplistic Recovery Mode

Because the passcode generation is event-driven synchronization problems can result. A simplistic “Recovery Mode” dialogue is provided. The original HOTP secret key is entered to gain access.

Once access is recovered, then the existing OATH-HOTP credential is no longer usable and must be deleted. The entire OATH-HOTP provisioning process has to be repeated to generate a new credential.

No “secure desktop”

Normally the Yubico Authenticator will be used to obtain the passcodes from the YubiKey. This means that the KeePass option “Tools/Options/Security/Enter master key on secure desktop” must not be checked.

Otherwise the desktop will not be accessible (including the Yubico Authenticator program).

Entering the secret key

The Yubico Authenticator requires that the secret key be entered in Base32 format. This is certainly not the most intuitively obvious format for end-user interaction.

Fragile Synchronization / Potentially exposed secret

The HOTP keeps its status information in a cleartext XML file stored on the PC. The HOTP counter as well as the secret key are (probably) stored in this file.

If the same KeePass file is shared between two computers, then the HOTP plugin file has to be shared (and carefully synchronized!). If there is any de-synchronization, then HOTP AuthN breaks and recovery mode is the only option.

Managed code assemblies are usually relatively easy to reverse engineer. This means that the secret key is likely to be relatively exposed. The extra security provided by the YubiKey is nullified by the exposed secret key.

Summary

The KeePass integration uses legacy YubiKey OATH-HOTP Authentication. The result is a fragile, relatively insecure implementation that is more useful as a “Proof of Concept” than for actual production.

U2F-enabled sites: GitHub, Dropbox

Works well, easy to use

GitHub[15] and Dropbox[16] both are U2F-enabled. Initial registration as well as subsequent Authentication are easy to do and work well.

But … (Things to remember)

On any site where 2FA is configured, it is important to have a backup means of AuthN if the primary method no longer functions.

This is especially true for U2F AuthN. Unless the RP website allows 2 different tokens to be registered simultaneously for the same user, an alternative method of AuthN will be required.

Remember also that currently only the Chrome browser supports U2F.

Git / GitHub Signing commits / tags

Both Git and GitHub support use of OpenPGP certificates for signing commits as well as tags.

The OpenPGP certificate can be securely stored in the YubiKey.

For more information, see Git Docum: Chap 7 Git Tools - Signing Your Work, as well as GitHub Help: GPG support.

Due to lack of time, the Git signing function was not tested.

OpenPGP certificates for Ssh login with YubiKey

As previously mentioned, the smart card support (OpenPGP, PIV - Windows, Docker) was not tested due to lack of time. (In fact this function could be the subject of an another entire blog post.)

Using an OpenPGP certificate for Ssh login


OpenPGP certificates can be used for Ssh login (instead of the default RSA or DSA Ssh keys). The seminal post on use of YubiKeys for Ssh signon is Eric Severance Blog Jan 2015: PGP and SSH keys on a Yubikey NEO. (Note that the comments for this article mention some minor improvements / errors).

An OpenPGP authentication subkey can be used with OpenSSH to login to an ssh agent. The GngPG gpg-agent has a flag that allows it to function as an ssh-agent. (In fact both OpenSsh RSA keys as well as OpenPGP certificates can be converted to OpenSSL PEM certificates. See here and here also.

OpenPGP certificates on YubiKeys


The suggested robust approach involves using the YubiKey to create OpenPGP subkeys for encryption / signing / authentication. The keys are generated on the YubiKey itself so that the secret keys never leave the secure YubiKey environment.


The last link mentions that the Yubico OpenPGP applet supports a "Touch" function: "When ... enabled, the result of a cryptographic operation involving a private key (signature, decryption or authentication) is released only if the correct user PIN is provided and the YubiKey touch sensor is triggered."

Possible "Gotcha"

Note that there is a possible "Gotcha" in the provided support. A comment to one of the articles above mentioned the  following:

If you happen to use YubiKey NEO with OpenPGP using gpg-agent/scdaemon, you may get the following error message:

no slots
cannot read public key from pkcs11
The reason is that scdaemon exclusively locks the smartcard, so no other application can access it. You need to kill scdaemon, which can be done as follows:

gpg-connect-agent SCD KILLSCD SCD BYE /bye


Google / Gmail

Since Google was instrumental in the initial design and development of U2F, it comes as no surprise to discover that Google’s applications are U2F-enabled.

However, to use U2F the new Google “Push” 2FA had to be disabled. This (sort of) makes sense. U2F AuthN based on a YubiKey token is more robust than a simple 1-click “Push” AuthN on a possibly insecure mobile Android phone.

Nonetheless, this means that a working Google Authenticator should be kept as a backup 2FA method. (Note that Google also provides 1-time use Recovery Codes as an alternative method.)

Duo

Duo took 2 different approaches to YubiKey integration:

  • OATH-HOTP: Is supported but Administrator interaction is required (with accompanying administrative overhead)

  • U2F: Is supported only in the high-end paid editions of Duo (i.e. Enterprise and Platform editions)
Note that both versions of Yubico OATH-HOTP are supported by Duo:
  • The legacy OATH-HOTP (using YubiKey slot 2)
  • The newer OATH-HOTP as supported by the Yubico Authenticator.

OATH-HOTP tokens

OATH-HOTP tokens have to be added by the Administrator.
  • Bulk provisioning: Tokens can be added in bulk (by uploading a CSV file with token information[17]) or manually directly in the Dashboard.[18]

  • Resynchronization: If non-zero, the HOTP counter has to be entered along with the token serial number (in decimal) and the token secret key.
Resynchronization of HOTP tokens also requires Administrator intervention.[19] There is no self-service portal function available for the user to resynchronize a token.

All-in-all there seems to be little justification for using OATH-HOTP (with its accompanying administrative overhead) when U2F is available (- except for cost considerations of course).

U2F

Since U2F AuthN is not supported except in the most expensive versions of Duo, Duo’s U2F was not tested.

AWS – Amazon Web Services

Amazon supports generic OATH-TOTP 2FA.[20]

The Yubico Authenticator supports OATH-TOTP as a (more secure) drop-in replacement for Google Authenticator.

Windows / Linux login

Yubico provides a PAM module as well as a Windows credential provider.[21] However these were not tested as Duo provides equivalent (and rock-solid reliable) function with centralized Administration through their SAAS application.

Windows smart card login was not tested either due to time limitations.

Docker


Notary, an open source program, is used to generate a 4096-bit PIV certificate. This is used to sign the Docker image content.

Note that only the YubiKey 4 / 4n support RSA 4096 keys which are required for Docker. The Neo does not support Docker signing.

Summing it all up

In a nutshell:
  • Great Technology: Overall, the YubiKey is a exciting technology. The YubiKey 4 or Nano is probably more useful unless you really need to use credentials on an Android mobile phone.

  • U2F? What's that?: U2F appears to be going nowhere fast. Hopefully the world will get over their politics and start to use this powerful, lightweight 2FA technology.
  •  
  • YubiKeys are quite functional for the few U2F-enabled web sites that do exist: Google, Dropbox, GitHub. Duo’s lack of YubiKey U2F support in the free version is disappointing.


  • "Clunky" Software tools: The Yubico Authenticator is painful to use but necessary.

  • TOTP codes (eg AWS) can be moved from Google Authenticator to the more secure YubiKey equivalent. But brush up on your Python for base32 conversions.

  • Certificates as well: Certificates can be stored on the YubiKey as well (e.g. code signing, smart key login) but due to lack of time this function was not tested. GitHub and Docker support code signing with YubiKeys. Probably a good idea would be to enable Yubico "Touch" support for certificate use. Also a PIN should be put on the card to protect against unauthorized modification / use. 

  • Duo for login 2FA: Use Duo for Windows / Linux 2FA support.

[1] The full set of Yubikey documentation can be found here: https://www.yubico.com/support/documentation/ 
[2] For more information, see the product specification sheets as well as the YubiKey NEO Manager Quick Start Guide
[6] See http://forum.yubico.com/viewtopic.php?f=26&t=1963 for more about the Yubico NDEF programming.
[11] Yubico Authenticator User's Guide
[12] Cf NEO-Manager-Quick-Start-Guide, Introduction, pg 4
[13] Cf YubiKey Personalization Tool User Guide March2016
[15] For more information concerning GitHub integration see: https://www.yubico.com/support/documentation/how-to-use-your-yubikey-with-github/ 
[18] For the details, see https://duo.com/docs/yubikey 

106 comments:

Anonymous said...

Great post! Very informative!

Unknown said...

Thanks for giving a lot of information
http://greenelectronics.co.in/samsung-service-centre-in-hyderabad.html

Lewis Clark said...

This has explained in a better way what it is about otherwise I have had no idea what this Yobikey, what is its purpose and use. This is a large amount of information to digest.

Blogger said...

FreedomPop is the #1 ABSOLUTELY FREE mobile communications provider.

Voice, text & data plans will cost you £0.00/month.

Twik personalization tool said...

Very nice blog... Thanks for sharing complete steps about personalization tool. I found this information very helpful.

ridobe said...

This is fantastic. Bookmarked.

Anonymous said...

Thank you. Bookmarked.

Unknown said...

"
At the point when all activities and slimming down stage gets fizzled, Keto Primal works splendidly to give the coveted results by giving a thin and sharp body appearance since it is a characteristic craving boosting fat buster. The supplement additionally limits the nourishment desires or enthusiastic eating of people where they would encounter less appetite feel and that would offer them to stay in controlled calorie admission.

The supplement attempts to influence a person to go fit as a fiddle and carry on with a sound and a la mode way of life. The weight reduction process that begins after the admission of the pills go normally, and you may encounter the results inside 2-3 weeks of time. The expansion of every common concentrate here attempts to support the stomach related framework and furthermore clean the colon framework to stay free from hurtful poison squander. It supports the digestion level and gives a lift to vitality and stamina level where you would have the capacity to exercise more without getting worn out and stay dormant way of life. Visit for more informations:
Keto Primal
Health Care 350"

Unknown said...

We are Get health tips to lead healthy life everyday.health information and medical updates on healthy life ideas. latest health news, articles and studies on all health. NutraT line

Unknown said...

"I like this post,And I guess that they having fun to read this post,they shall take a good site to make a information,thanks for sharing it to me.
Read more here:
kim kardashian sex tape
porn sex video hd
mia khalifa sex video
sunny leone sexy movie"

Unknown said...

"
At the point when all activities and slimming down stage gets fizzled, Keto Primal works splendidly to give the coveted results by giving a thin and sharp body appearance since it is a characteristic craving boosting fat buster. The supplement additionally limits the nourishment desires or enthusiastic eating of people where they would encounter less appetite feel and that would offer them to stay in controlled calorie admission.

The supplement attempts to influence a person to go fit as a fiddle and carry on with a sound and a la mode way of life. The weight reduction process that begins after the admission of the pills go normally, and you may encounter the results inside 2-3 weeks of time. The expansion of every common concentrate here attempts to support the stomach related framework and furthermore clean the colon framework to stay free from hurtful poison squander. It supports the digestion level and gives a lift to vitality and stamina level where you would have the capacity to exercise more without getting worn out and stay dormant way of life. Visit for more informations:
Keto Primal
Health Care 350

Unknown said...

Why fear when True Light Keto is here that leads to quick weight loss process and is formulated with botanical extracts
and promotes healthy cholesterol formation inside the body. It also boosts up the metabolism level and delivers a clean
colon system, suitable for all male and female adults,you get a free trial order of 14 days without expeeriencing any hassles
True Light Keto

Supplements For Fitness said...

Supplements For Fitness Just be careful with the miraculous supplements that promise to be the key to weight gain. Just buy supplements based on your goals / training. Just because Ronnie Coleman takes it does not mean you need it. Supplement .

https://www.supplementsforfitness.com/

Anonymous said...

Keto VIV is a recipe for weight reduction that expands the body's digestion by advancing weight reduction while expanding the warm procedure of beginning to consume muscle versus fat. This fat consuming added substance likewise goes about as a fat inhibitor that hinders the arrangement of fat cells in the body by obstructing a catalyst called citrate. This imaginative weight reduction recipe additionally advances serotonin levels in the body that assistance decrease midsection fat and fortify your disposition to make you feel more full. This eating routine pill additionally keeps you from eating inwardly.
https://www.ketodietweightlossreviews.com/keto-viv-fat-burn-xp/

Unknown said...


https://movieshook.com/ Position and the simplest method to growth your low-end smartphone execution is by conclusion the applications that are lengthways in the environment before you sign the fearless. You can use several extend slayer applications for this, as healthy. Most of the Golem phones include numerous applications that are of no use to an statistic human. These applications can be injured which in favor increases the performance of your sound.

Jeffery Martin said...

Second.your will be full of poisons. Water enables you to flush them out. It also helps Nutrix Slim Keto your blood, cleanse the kidneys, assist the liver and many more. There are very a few health and general wellness benefits.
Read more...>>>


https://www.healthdiscreet.com/nutrix-slim-keto-reviews/

https://medium.com/@jefferymartin_43968/nutrix-slim-keto-12ed1f8eded5
https://nutrixslimketo.food.blog/
https://nutrixslimketoofficial.weebly.com/blog/nutrix-slim-keto
https://bit.ly/2FOkxDG





Unknown said...

Opti Farms Keto supports healthy immunity and drives to reduce overweight size
of the body by eliminating bad cholesterol level. It improves ketosis that restricts
fat accumulation inside the body and makes best utilized as energy boost. The supplement
is one of the best selling product over the internet that makes you slim and stylish
Opti Farms Keto

Rita Ballard said...

There possess to it. If you do want to make it worse sure about certain regarding brands work well or not and whenever they are suited to you, require also consider visiting supplements reviews Holistic Bliss Keto and not really going to physician.
Read more...>>>


https://www.healthdiscreet.com/holistic-bliss-keto/




Eric Franklin said...

Holistic Bliss Keto you remove condiments from much better for a period power? Eliminate ketchup (which I call tomato flavoured sugar), eliminate mayonnaise, be free from of bandages. Eliminate soy sauce from your rice.

Third, make sure that you have minimally 7~8 hours of good sound get some sleep. Scientists have proved that sleeping a great process of naturally digesting unnecessary components that serve no other purposes than to increase pounds. So no matter how hard you work, make sure you have a good rest following the holiday weekend.
https://holisticblissketo.weebly.com/
https://works.bepress.com/healthdiscreet/3

https://symonds377.wixsite.com/healthdiscreet/post/holistic-bliss-keto-the-most-recent-keto-equation-is-here
https://www.healthdiscreet.com/holistic-bliss-keto/

Wilma Gomez said...

The Probiotic supplement helps to balance good bacteria and in this regard, Zenith Labs Probiotic T-50 review is creating buzz. How far is the supplement reliable and worth considering, you will come to know about it here

Anonymous said...

Thank you, I have recently been looking for information approximately
this subject for a while and yours is the greatest I've came upon till now.
But, what in regards to the bottom line? Are you positive
about the supply?

Anonymous said...

Thank you, I have recently been looking for information approximately this subject
for a while and yours is the greatest I've came upon till now.
But, what in regards to the bottom line? Are you positive about the supply?

Easy Cab said...

Call Now at 7634078909 to grab a Free SEO consultation from the certified SEO consultant at Elite SEO

Agency.

Boost your online website promotion & convert your coaching institute business into a steady recurring

online income!

+91-7634078909
info@eliteseo.agency

https://www.eliteseo.agency/bhopal-seo/

Anonymous said...

Hello! I realize this is somewhat off-topic however I needed to ask.
Does building a well-established website like yours take a lot of work?
I'm brand new to writing a blog however I do write in my journal daily.

I'd like to start a blog so I can share my personal experience and thoughts online.

Please let me know if you have any kind of ideas or tips for brand new aspiring bloggers.
Thankyou!

Slim Quick Keto Shark Tank said...

healthonway
Slimquick Keto Reviews: Everyone has their own desires, both deprivation to be wealthy, whatever poorness to make harsh body and several impoverishment to be thin and raunchy. It is a want of every Soul to face temerarious and risque in frontmost of others. But it becomes unsurmountable as they are not healthy to bang attention of their fast as healthy as their well-being. In requisite, it becomes rattling weighty to decide straightlaced fix of what you eat. Several people depend only upon their fasting to get wanted embody cast. As a conclusion, they end up state fat. A stressed stratum of fat gets stored on their waist and hips. With a fitting diet, it is equally arch to do prissy exercises.

Anonymous said...

Its not my first time to go to see this web site, i am visiting this web page dailly annd get good information from
here daily.

God Of Supplement said...

God Of Supplement clients of God Of Supplement. The recorded are just the essential advantages coming about to weight reduction. Not just http://godofsupplement.com/

keto enhance said...

Keto Enhance is the most advanced of all formulas and is on this date one of those best and popular types of weight loss pills in the market that are too rare in origin. Keto Enhance will burn down all of your fats and problems. Visit On http://www.rushyourtrial.com/coupon/keto-enhance-rush-your-weight-loss-with-this-pill/

Anonymous said...

We stumbled over here coming from a different web page and thought
I might as well check things out. I like what
I see so now i am following you. Look forward to exploring your web page repeatedly.

Anonymous said...

We stumbled over here coming from a different web
page and thought I might as well check things out.
I like what I see so now i am following you.
Look forward to exploring your web page repeatedly.

Anonymous said...

Excellent read, I just passed this onto a friend who was doing a little research on that.
And he just bought me lunch since I found it for him smile So let me
rephrase that: Thanks for lunch!

Anonymous said...

Excellent read, I just passed this onto a friend who
was doing a little research on that. And he
just bought me lunch since I found it for him smile So let me rephrase that: Thanks for lunch!

Anonymous said...

There is evidently a bunch to realize about
this. I suppose you made various good points in features also.

Anonymous said...

There is evidently a bunch to realize about this. I suppose you made various good
points in features also.

Anonymous said...

each time i used to read smaler content which
as well clear their motive, and that is also happening witth this article which I amm
reaing here.

kenwood said...

. For this reason it may be necessary to install a platform ensuring that it does not protrude from the furniture plinth and no services should cross the rear wall behind the appliance Viking, Sub-Zero, Dacor, Miele, Thermador, Fisher & Paykel Repair in Goleta

Anonymous said...

What a information of un-ambiguity and presereness of valuable knowledge regarding
unexpected feelings.

Anonymous said...

I have read so many articles on the topic of the blogger lovers however this article
is in fact a fastidious paragraph, keep it up.

Anonymous said...

Do you have a spam problem on this website; I also am a blogger,
andd I was curous about your situation; we have
created soje nice practices and we are looking to exchange
methods with others, be sure to shoot me an email if interested.

Anonymous said...

Today, I went to the beach front with my children. I found a sea
shell and gave it to mmy 4 year old daughter and said "You can hear the ocean if you put this to your ear." She
placed the shell to her eaar and screamed.
There was a hermit crab inside and it pinched her ear. She never wants to go back!
LoL I know this is entirely off topic but I had to tell someone!

Anonymous said...

Have you ever considered about adding a little bit more than just your
articles? I mean, what yoou say is valuable and all. However think of if you added some great images or videos tto give your post more, "pop"!
Your content is excesllent but with immages andd videos, this blog
could definitely be one of the very best in its field.

Grat blog!

Anonymous said...

I loved as much as you'll receive carried oout right here.
Thee sketch is attractive, your authored subject
matter stylish. nonetheless, you command get bougyt an impatience over that you wish be delivering the following.
unwell unquestionably come mofe formerly again as exactly the
same nearly a lot often inside case you shield this hike.

Anonymous said...

Hello! Do you uuse Twitter? I'd like to follow you if that would be
okay. I'm undoubtedly enjoying your blog and look forward to new posts.

Anonymous said...

If you desire to increase your experience only keep visiting
this web site and be updated with the most up-to-date news posted here.

Anonymous said...

I'm not sure wbere you're getting your information,
butt great topic. I needs to spend some time learnimg more or understanding more.

Thanks for magnificent info I was looking for this info
foor my mission.

Anonymous said...

Hello everyone, it's my first go to see at this site, and post
is really fruitful for me, keep up posting these types
off articleds or reviews.

Anonymous said...

Article writijng is also a fun, if you be acquainted
with after that you can write or else it is complicated to write.

Anonymous said...

Valuable info. Lucky me I found your web site
by chance, and I am surprised why this coincifence did nnot happendd
in advance! I bookmarked it.

Anonymous said...

There is certainly a grfeat deal to learn about this subject.

I like all of the points you have made.

Anonymous said...

This article offers cleear idea designed for the new viewers of blogging, that genuinely
how tto do blogging.

Anonymous said...

I like the valuable information you supply on your articles.
I will bookmark your weblog and check again her regularly.
I'm rather certain I'll learn lots of new stuff proper right here!
Best of uck for the next!

Anonymous said...

You should take part in a contest for one off the most useful blogs online.
I most certainly will highly recommend this blog!

Anonymous said...

My brother suggested I might like this blog. He was totally right.
This poset truly made my day. You cann't imagine simly how much time I had spent for thi information! Thanks!

Anonymous said...

I have been surfing online greater than 3 hours today, but I by no means discovered any fascinating article like yours.
It is lovely worth sufficient for me. In my view, if all
webmasters and bloggers made excellent content aas you
did, the web will likesly be a lot more helpful than eveer before.

Anonymous said...

As the admin of this web sute is working, no doubt very shortly it
will be famous, due to its quality contents.

Anonymous said...

Ahaa, its fastidious discussion regarding this piece of writing here at this website, I have
read all that, so now me also commenting at thyis place.

Anonymous said...

Cool blog! Is your theme custom made or did you download it
from somewhere? A design like yours with a few simple adjustements would
really make mmy blog shine. Please let me know where
youu got your theme. Thanks a lot

Anonymous said...

magnifficent publish, very informative. I'm wondering why the other expedts of this sector doo not realize this.
You must continuhe your writing. I am confident, you've a huge readers' basee already!

Anonymous said...

This is very attention-grabbing, You aare an overly profesional
blogger. I've joined yoour feed and look ahead tto searching for more of
your wonderful post. Also, I have sharedd your website in my social networks

Anonymous said...

That is a good tip especially to those new to the blogosphere.

Siple but very accurate info… Many thanks for sharing this one.
A musst read post!

Anonymous said...

This is my first time pay a quick visit at here and i am truly immpressed to read all aat alone place.

Anonymous said...

Hey there! Quick question that's completepy off topic.
Do you know how to make your site mobile friendly? My website looks weird when viewing from my iphone4.
I'm trying to find a theme or pplugin that might be able to
fix this issue. If you have any suggestions,
please share. Cheers!

Anonymous said...

I am regular reader, how are yyou everybody? This piece off writing posted
at this web site is in fact good.

Anonymous said...

Hiya! Quick question that's completely off topic. Do you know
how to make your site mobile friendly? My site looks weird when viewing
from my iphone 4. I'm trying to find a thesme or plugin that might be able to resolve this issue.
If you have any suggestions, pleazse share. Thanks!

Anonymous said...

Spot on with this write-up, I honestly believe this web siite
needs far more attention. I'll probably be back agsin to read
more, thanks for the info!

Anonymous said...

Peculiar article, excactly what I needed.

Anonymous said...

Hi, I do think this iss an excellent blog. I
stumbledupon it ;) I wiill revisit once again since I book-marked it.
Money and freedom is the best way too change, may you
be rich andd continue to guide others.

Anonymous said...

It is perfect time to make somne plns for the long
run and it is time to be happy. I have learn this submit
and if I could I wish to counsel you few attention-grabbing issues or advice.Maybe you
could write next articles referring to tthis article.
I desire to learn even more issues about it!

Anonymous said...

This design is wicked! You definitely know how to keep a reader
entertained. Between your wit and yopur videos, I was
almost moved to start my ownn blog (well, almost...HaHa!) Wonderful job.
I really loved whst you had to say, and more than that, how you
presented it. Too cool!

Anonymous said...

naturally like your website but you have to checck the
spelling on several of your posts. A number
oof them are rife with spelling issues and I in findinmg it very bothersome to inform the truth then agan I'll surely come back again.

Anonymous said...

Hi, tthe whole thing is going perfectly here and ofcourse every one is
sharing information, that's truly fine, keep up writing.

Anonymous said...

It's very effortless to find out any topic on net as compared to textbooks,
as I found this piece oof writing at ths web site.

Anonymous said...

Spot on with this write-up, I absolutely feel this
website needds far more attention. I'll probably be returning
to see more, thanks for the information!

Anonymous said...

Hi there very nice site!! Guy .. Excfellent ..
Amazing .. I'll bookmark youyr website and take the feeds additionally?

I'm happy to search out a lot of useful info right here inn the put up, we want develop extra techniques in this regard, thanks for sharing.
. . . . .

Anonymous said...

Heeya fantastic website! Does running a blog similar to this require a massive amountt work?

I have veryy little undestanding of coding however I had been hoping to start my own blog
soon. Anyhow, if you have any suggestions or tips for
new blog owners please share. I know this is off subject nevertheless I just wanted to ask.
Thanks a lot!

Anonymous said...

If some onne nreds expert view concerning blogging then i suggest him/her to pay
a quick visit this website, Keepp up the fastidious job.

Anonymous said...

Informative article, exactly what I was looking for.

Anonymous said...

Excellent goods from you, man. I've understand your stuff previous to and you are just too magnificent.

I really like what you've acquired here, certainly like what you're saing and the way in which yyou say it.
You make it enjoyable and you still take care of to keep it
wise. I can not wait to read much more from you.

Thiis is really a wonderful website.

Anonymous said...

Can you tell us mire about this? I'd want to find out some
additional information.

Anonymous said...

Hello, I enjoy readig through your article post. I wanted to write a little comment to support you.

Anonymous said...

I gott this webb site from my friend who shared with me regarding tis site
and now this time I am visiting this site aand reading very informative articles or reviews
at this time.

Anonymous said...

I always emailoed this web site post page to all
my contacts, for the reason that if like to read it next my contacts will too.

Anonymous said...

Hi my loved one! I wwant to say that this article is
amazing, nice written and come with approximately all important infos.
I'd like to look more possts like this .

Anonymous said...

A person essentially assist to make critically posts I might state.
That is the first time I frequented your wweb page and so far?
Isurprised wigh the research you made to create this actual publish incredible.
Great process!

Anonymous said...

Thanks for ones marvelous posting! I quite enjoyed reading it,
you are a great author. I will remember to bookmark
your log and will come back sometime soon. I want tto encourage continue
your great posts, havee a nice holiday weekend!

Anonymous said...

Hey there! Someone in my Myspace griup shared this
website with us so I camme to give it a look. I'm definitely enjoying the
information. I'm book-marking and will bbe tweeting this to my
followers! Excellent blpg and excellent design.

Anonymous said...

Thank you for the good writeup. It if truth be told was once a amusement account it.
Look complicated to far deelivered agreeable from you!
However, how can we keep in touch?

Anonymous said...

Remarkable! Its really awesome paragraph,
I have got much clear idea regardingg freom this post.

Anonymous said...

Truly no matter if someone doesn't be aware
of after that its uup to other visitors that
they will assist, so here it takes place.

Anonymous said...

whoah this blog is wonderful i really like studying
your posts.Staay up the great work! You realize,
many persons are hunting around for this information, you can help
them greatly.

Anonymous said...

Hello there! Do you use Twitter? I'd like too follow you iif that would be ok.
I'm definitely enjoying your blog and look forward to new updates.

Anonymous said...

It's actually very diifficult in this active life tto lidten news on TV, thus I juust use world wide web for
that purpose, andd get the most rscent information.

Anonymous said...

Hi there! Do you use Twitter? I'd like tto follow you if that would be ok.
I'm undpubtedly enjoying our blog and look forward too new updates.

Anonymous said...

Hello it's me, I am alseo visiting ths website daily, this web page is genuinely
fastidious and the visitors are really sharing good thoughts.

Anonymous said...

Mayy I simply say what a comfort to uncover someody that truly
knows what they are talking about onn the net. Youu definitely know how to bring an issue to liight and mqke
it important. More and more ppeople need to check this
out and understand this side of your story. I was surprised you're not more popular given that you definitely have the gift.

Anonymous said...

Whats up very cool website!! Guy .. Excellent ..
Superb .. I'll bookmark your web site annd takee the
feeds also? I'm happy to seek out sso many useful information here within the post,
we want develop extra techniques in this regard,
thanks for sharing. . . . . .

Anonymous said...

If you are gong for finest contents like I do, simply visit this web site every day as it offers feature contents, thanks

Anonymous said...

I do believe all of the ideqs you've introduced on your post.

They aree very convincimg andd will definitely work.
Still, the posts are too brief for starters. May you please prolong them
a little from subsequent time? Thank you for the post.

Anonymous said...

Have you ever considered writing an e-book or guest authoring on other websites?
I habe a blog based on the same subjects you discuss and would
love to have you share some stories/information. I know my audience
would enjoy your work. If you're even remotely interested, feel free to shoot me an email.

Anonymous said...

Grrat post.

Anonymous said...

Amazing blog! Is your theme custom made or did you
download it from somewhere? A design like yours with a few simple adjustements would really make myy blog shine.
Please let me know where you got your theme. Thank you

Anonymous said...

Saved as a favorite, I really likke your web site!

Anonymous said...

Right here is the right wwbpage for everyoine who really wants to understand this topic.
You understand a whole lot its almost tough to argue with you
(not that I personally will nneed to…HaHa). You certainly put a new spin on a topic
that hass been written about for ages. Excellent stuff, just great!

Anonymous said...

Remarkable issues here. I'm very happy to
look your post. Thanks so much and I'm taking a lopk forward to touch you.

Will you please drop me a mail?

Anonymous said...

Positive site, where did you find out about this posting? My first impression of your website is that your writing style is interesting and engaging. Keep up the great work and thanks a million. Here, you can view a fake WhatsApp conversation, as well as I can view its preview and choose your favorite. fake whats app gen.

Tractor said...

Hello!!
Useful blog. thank you for sharing to us.
John Deere