Monday, March 02, 2009

Yubikeys and Enano?

Enano CMS, a project that I am involved in, has recently announced Yubikey support through a plugin in the latest development versions. Now, most people, if not all that read this blog may not have a clue on why Yubikey support is so special. After all, its just another authentication method, right? Wrong!

Let me start off this with a little history on Enano CMS for those who don't know what it is. Enano CMS is a CMS that was started with by Dan Fuhry to replace the antiquated web page setup on the Experience UI project. Well, he was also spurred on by me, who joined him later because I had some bad experiences with Drupal and phpBB, Fully Modded. Each of these projects had good and bad things, though. 

Drupal is incredibly modular, but it had a rather clumsy UI at the time. I am told that the UI has been improved since then, but I digress. phpBB Fully Modded was chock full of features. Too many, in fact. However, it was the only truly reliable way of getting all the features needed working together. 

phpBB, Fully Modded inherits all the security issues of phpBB, as well as some of its architecture faults. For example, in most web systems, people can write plugins to hook into the main software package to provide additional features. This has a limiting factor, but it is modular, allowing for easy removal and installation for testing purposes. phpBB does not have a plugin system. Developers of phpBB depend on a MOD extension system, which is quite literally what it says, modifying phpBB itself to add these features. Essentially, they were patches to phpBB. Dan and I saw a huge issue with this, especially after my phpBB site was literally destroyed by crackers over Thanksgiving day in 2006. 

Enano CMS was Dan's solution to these problems. He saw phpBB's inefficiency with security quite damning for it, but it was really the best supported solution out there as far as forums went. So, when he designed Enano, back then called Midget CMS (it was changed to Enano when it was discovered another CMS package with the name existed already), he designed it with modularity and security in mind. Originally, it used regular old hash signatures, but it did not sanction actual code modification to extend functionality. It had an incredibly flexible plugin API added to it for this purpose. Over time, the API was extended, and Enano's core was modified to increase security. For 1.0RC1, Enano's security was truly new. It used 192-bit industrial strength AES cryptography to secure logins. Diffe-Hellman was later added in 1.1.x development, and finally HMAC-SHA1. Both Diffie-Hellman and HMAC-SHA1 are currently in use in Enano CMS. 

Also, after the first rewrite of Enano, the administration was heavily cleaned up, and redone several times to make it simpler and much more intuitive to the new user. The resulting Admin panel is quite easy for a new user to dive right in and use it. Concepts from Wordpress and phpBB were borrowed for the design of the admin panel, which is evident in the style of the panel. I got more involved with the project around the time of 1.0RC1 and started helping Dan figure out aspects of theming and UI to make sure that it was aesthetically pleasing as well as having high usability. The result was a quite nicely done system that additionally doubled as a wiki that could be secured using ACLs or numerous management shortcuts in the page tools.

Where does the Yubikey come into play here? Unsurprisingly, the security systems employed in Enano CMS make the Yubikey a rather good fit for it. Yubico, the company that developed and is marketing the Yubikey, designed the Yubikey system to use HMAC system which Enano also uses. The result? Enano can take advantage of some of the more powerful features of the Yubikey One Time Password (OTP) system. Dan, the developer, fell in love with the idea of the Yubikey and the OTP system. I pushed him to implement support for the Yubikey into Enano's own authentication system. The end result? The smoothest and quite possibly the most secure way to log into a web system is available for anyone who uses Enano and owns a Yubikey. Enano, being as flexible as it is, can function as a blog, a podcasting publishing site, a wiki, and a traditional CMS, among other things.

The Yubikey is special because it is a one time password system that does not require ANY special software on the local machine. It acts like a HID USB keyboard that just inputs the OTP to log in. Since, to a certain extent, it merely is a validation tool, the OTP system could be used for numerous things. The most popular way is for logins, but it could be a good replacement for CAPTCHAs on a company site where full access available to everyone is not necessary. The sky is the limit with a Yubikey!

More information here.

No comments: