Yubico Forum

Re: c#.net yubicoClient question

2012-03-06T11:06:00+01:00

You are basically right, but supporting signing the request even when SSL is used has the advantage of letting the server identify the client.

YubiCloud currently does not make use of this, but it could become important in the future to mitigate DoS attacks against the service.

Also, using HMAC signatures to validate the servers response could perhaps feel better than trusting your typical list of 100+ trusted SSL CAs. Not that you would necessarily be using such a list for validating the YubiCloud servers SSL certificates, but...

/Fredrik

Statistics: Posted by Guest — Tue Mar 06, 2012 11:06 am

Re: c#.net yubicoClient question

2012-01-20T19:54:46+01:00

I'm confused is the generated Client ID the AuthID?

Statistics: Posted by bwong — Fri Jan 20, 2012 7:54 pm

Re: c#.net yubicoClient question

2010-06-22T00:17:27+01:00

https instead of hmac verificiation is secure enough and more easy.
But anyway, check this attachment for some hmac verification code I wrote quickly if you want to implement it anyway.
Just make sure the API key is securely stored on your server! There is no way telling if someone forged an 'OK' status if they aquired this key.

Statistics: Posted by darkfader — Tue Jun 22, 2010 12:17 am

Re: c#.net yubicoClient question

2010-03-02T15:47:39+01:00

Statistics: Posted by crash893 — Tue Mar 02, 2010 3:47 pm

Re: c#.net yubicoClient question

2010-03-02T15:48:34+01:00

Statistics: Posted by crash893 — Fri Feb 26, 2010 9:13 pm

Re: c#.net yubicoClient question

2010-02-25T19:55:07+01:00

bump

Statistics: Posted by crash893 — Thu Feb 25, 2010 7:55 pm

Re: c#.net yubicoClient question

2010-02-24T06:48:38+01:00

Checking the hash is optional. However, Yubico recommend all production deployments use either API key or HTTPS to secure the OTP validation communication.

Statistics: Posted by network-marvels — Wed Feb 24, 2010 6:48 am

Re: c#.net yubicoClient question

2010-02-23T17:15:35+01:00

I'm still working on this but am i to understand correctly that checking the hash is not nesscary from a security point of view if the api url is just switched to https?

Statistics: Posted by crash893 — Tue Feb 23, 2010 5:15 pm

Re: c#.net yubicoClient question

2010-02-22T10:45:31+01:00

We are assuming that you are asking about how to generate the HMAC HASH i.e h parameter at client side and compare it with the h parameter sent as a response from the OTP validation server.

The instructions for generating and comparing the h parameter is available at the following links:

http://www.yubico.com/developers/api/#generate_sig

http://www.yubico.com/developers/api/ (Protocol Specification section)

The t parameter present in OTP validation response is the timestamp in UTC at the server side when the OTP is validated. This parameter is not related with HMAC HASH generation/compare functionality.

We hope this helps!

Statistics: Posted by network-marvels — Mon Feb 22, 2010 10:45 am

Re: c#.net yubicoClient question

2010-02-19T23:39:31+01:00

so basically

My api key (the long string) + the returned H value should combine in some fashion to return my auth-id code?

what about t= do i need to know anything about that?

Statistics: Posted by crash893 — Fri Feb 19, 2010 11:39 pm

Re: c#.net yubicoClient question

2010-02-19T22:56:16+01:00

cool

thanks the c# example does not implement this feature I will look into it and see if i can implement it.

Statistics: Posted by crash893 — Fri Feb 19, 2010 10:56 pm

Re: c#.net yubicoClient question

2010-02-19T10:26:46+01:00

Please find answers to your questions as follows:

1) what does the auth_id do

Answer:

There are two ways to secure the OTP validation communication (request and response). The first is to use HTTPS based secure communication channel to exchange the OTP Validation request and response. The other is to authenticate the request and response with (an optional) parameter h which is the HMAC SHA1 hash generated using the shared secret Key to sign the OTP validation request and response message.

Using this h parameter, a client (i.e. an application/service making the validation request to the Yubico OTP validation server) can be sure that the response is coming from the Yubico OTP validation and has not been tampered.

To generate this h parameter a shared secret Key (referred henceforth as API Key) is used. This API Key is associated with an ID (API ID/auth_id) on the Yubico OTP validation server.

If the h parameter is present in the OTP validation request, i.e. the client has signed the request using the API Key, then at the OTP validation server the id parameter is used to extract the corresponding API Key from the database and the HMAC SHA1 hash is computed on the OTP validation request. The server generated hash is compared with the h parameter present in the OTP validation request to validate the authenticity of the OTP validation request.

Therefore, if you are using the h parameter in the OTP validation request, you need to use your corresponding API ID in the OTP validation request.

The OTP validation server always sends the h parameter in the OTP validation response. This h parameter is generated by signing the OTP validation response using the shared secret Key associated with the id in the validation request. At the client side, HMAC SHA1 hash is computed on the OTP validation response using the API Key configured on the client side (the way of configuring this on the client will be client specific). The client generated h parameter is compared with the h parameter present in the OTP validation response to validate the authenticity of the OTP validation response.

2) if i made a program that reqired a yubikey would i need to create a individual auth_ID for each one?

Answer:

You should always use a same API ID for all of your YubiKeys. There is no need to generate a different API ID for each YubiKey. The API ID concept is designed to use an API ID per site / application / service and not per YubiKey.

Let’s take an example. You have developed a web application and integrated YubiKey based strong authentication in to your web application. You are using the online Yubico OTP validation server for OTP validation and you want to use the h parameter in the OTP validation request for authenticating the validation requests and responses. Your users are using YubiKey OTP for authentication along with traditional username and password.

Now all user authentication requests will be handled by your web application. Your web application will validate the username and password and will send the OTP to the online Yubico OTP validation server by forming the OTP validation requests for every OTP received from the users. Here, your web application acts as a client to the Yubico OTP validation server.

As the web application is sending the OTP to the validation server and not the user, there is no need to create separate API ID and API Key for every YubiKey you own. You should create and use only one API ID and API Key pair for all of your YubiKeys.

We hope this helps!

Statistics: Posted by network-marvels — Fri Feb 19, 2010 10:26 am

Re: c#.net yubicoClient question

2010-02-18T17:59:50+01:00

thanks I got it

so new questions arise from this

1) what does the auth_id do

2) if i made a program that reqired a yubikey would i need to create a individual auth_ID for each one?

Statistics: Posted by crash893 — Thu Feb 18, 2010 5:59 pm

Re: c#.net yubicoClient question

2010-02-18T07:07:26+01:00

You can create your own auth_id using the Yubico API Key generator which is available at the link given below:

https://api.yubico.com/get-api-key/

Please provide your E-mail address and YubiKey OTP and click on the "Generate API Key" button. This will generate a new id parameter (which is auth_id) and API Key for your use.

We hope this helps!

Statistics: Posted by network-marvels — Thu Feb 18, 2010 7:07 am

Re: c#.net yubicoClient question

2010-02-17T22:32:44+01:00

I see that it mentions auth_id in the read me but it doesn't explain where that number came from. I apologize if its right in front of me I'm pretty new to all this.

Statistics: Posted by crash893 — Wed Feb 17, 2010 10:32 pm