Yubico Forum

Re: Using the YubiKey 2.0 purely for static mode

2013-12-28T13:31:45+01:00

I have the same issue as above.... I'm trying to store a pre-generated 48 character numeric password (no ability to change it) to my yubikey, but it's limited to 32.

I understand you have to choose an arbitrary number for the maximum length, but more and more systems are getting longer and longer passwords (which is a great thing) and it would be great if Yubikey would be front-runner even if 128-bit entropy feels like overkill, if the input is limited to numbers (in my case) the entropy is lower than when you're able to set it to 38 different characters.

Statistics: Posted by jessehouwing — Sat Dec 28, 2013 1:31 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-12-03T18:40:50+01:00

Thank you for your reply Jakob,

It would be great if you do symbol to scan code mapping in Config utility at least for US layout,
so users can paste in any password they want.
Maybe it is better if you figure out the mapping in advance, without having to type all ASCII-characters 0x20 - 0x7f.
It could be an option (hopefully YBCU will save it) for non-standard keyboards.

I think the more serious question is whether to allow firmware update or not.
Users always find some features they want that you did not have in mind or have your own opinion.
and it might be some other application that you had not anticipated at all, which can finally boost your product.
Isn't it one of the ideas of Open Source movement?
It especially applies to your product when you have not found your niche yet.

I was going to ask you about OATH support, but just found your post today. Great!
So what are the users who have old firmware supposed to do?

Statistics: Posted by Guest — Thu Dec 03, 2009 6:40 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-12-02T22:28:07+01:00

Yes - there is a limitation in the configuration tool that it cannot take a string and have it pasted into the field where it gets converted to keystrokes. As I see it, there is no obvious way to make the scancode-keystroke mapping in a way so it supports all keyboard layouts. Maybe we could make a mapping tool where the user is asked to profile the current keyboard layout, where the user is asked to type in all ASCII-characters 0x20 - 0x7f. This mapping is then stored in some persistent way so it can be reused. We could then provide some default mappings for the most common keyboard layouts. Anyone with a better idea is very welcome to give a tips.

Would such a feature make sense ? We can then add this feature to the configuration tool.

As an alternative, like YBTester proposed - the configuration API can be used if you want to write your own utility.

But... The scan code mode is currently limited to 16 characters maximum and the limitation is in firmware. We could probably with a fairly small effort increase this to 16 + 6 + 16 = 38 characters by using the public ID, private ID and key fields when operating in static mode.

Regarding the 10-second manual upate feature - yes - this one updates the last 32 characters only.

I must admit that we've probably underestimated the needs of our customers with regards to the static mode. It was introduced as a gizmo kind of thing and we were prepared to drop it if users would be upset that we supported "such rubbish" as someone said in the early days. "Static mode is a joke - you guys shouldn't support such crap". It appears however like quite a few people use it and that the current implementation is not as flexible as it should be.

certain password policies. The length of the password would make it strong enough.

Apparently these assumptions were a bit wrong.

We’ll put what we’ve heard so far on the wish list for the next firmware updates. Any feedback on features is of course highly appreciated.

Thanks for all input,

JakobE
Hardware- and firmware guy @ Yubico

Statistics: Posted by Jakob — Wed Dec 02, 2009 10:28 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-12-02T21:19:47+01:00

Hi, trying to follow up on static mode.

I'm also trying to see how YB can fit our business.
And it seems that static mode could be the easiest first step.

1. My question to Jakob&Co. is it possible to make a new version of Configuration (or is Personalization as it referred on your website?) utility and firmware which can generate random password 64 or possibly longer.
The current Static -Basic mode when 64 characters only last 32 last characters are updates when YB button is pressed for 10 seconds,
When special character and capital letters are enabled, they are only used in a that first constant portion of password.
and '!' is always first.

Is it the limitation of API or Configuration Utility?
Most users have the same keyboard layout throughout the computers they use.
So to address Lain_'s question the only problem is to write a function that would convert a symbol to a scancode given current keyboard layout, and write their own tools using your API?

My understanding your COM API

Property ykStaticID As BSTR (Write only)
HRESULT ykStaticID([in] BSTR rhs);

and Linux library from
http://code.google.com/p/yubikey-personalization/

allows to program arbitrary 128 bit string?

The problem only is to generate new 64 character complex password internally using 10 sec YB button touch, you have to update firmware?

For using people using static mode compatibility is not an issue, and bring static mode to perfection giving people what they need, could be a real boost for YB deployment, and then when you would have enough users you can worry about compatibility?

2.
What is the meaning of Public and Private ID, AES key when programming YB in static mode.
I noticed that PID in modhex is just prepended to static password

and I guess the same algorithm used to generate OTP uses given PID and AES to generate password but in contrast to dynamic mode every time YB button is touched it just emits the same string it generated first time?

==============
Best regards,
YBTester.

Statistics: Posted by Guest — Wed Dec 02, 2009 9:19 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-11-30T03:30:15+01:00

Okay - apparently the discussion went wrong somehwere. I'll take the blame on me. Let's rewind the tape then and restart:

Pro primo - You can make up a password of any combination of one to sixteen characters available in your current keyboard layout that are either un-shifted or shifted. Use the configuration tool, secelect "Password mode" from the task panel and then select "Scan code mode".

Pro secundo - The current Windows configuration tool does not allow you to paste in a string as the tool captures the scan codes of each keystroke you type in. It is unfortunately non-trivial to fix or to add a function that randomizes a valid string for your current keyboard setting.

Pro tertio - Your example string won't work as it is 32 characters long. If you can tuncate it to 16 characters, your string will work.

Pro quarto - The final caveat then is that if you configure the key on your own keyboard and then use the key on a different computer with a different keyboard layout, it may not work. That is by design and nothing we can do anything about.

Regards,

Jakob E
Hardware- and firmware guy @ Yubico

Statistics: Posted by Jakob — Mon Nov 30, 2009 3:30 am

Re: Using the YubiKey 2.0 purely for static mode

2009-11-29T20:52:17+01:00

JakobE wrote:

.......
The "scan code" mode password does just exactly that and allows you to create an arbitrary string of up to 16 characters.

Wow, I am not sure if what I am trying to get across is being by language barriers, or a simple misunderstanding??

Your implying that I can use a "static password" but you always include the word ARBITRARY. And it its the use of that word that is the crutch of this threads continuation. So lets first define that word so as to help clarify the complaint I and the person who started this thread have attempted to make.

ARBITRARY
1. Determined by chance, whim, or impulse, and not by necessity, reason, or principle:

Its easy to see now the problem I have........I cant use this product for my needs as I do NOT want an arbitrary static password that I CANT CHOOSE. See how easy this is to understand. While I don't wish to make an argument about how you should design your product, as a business person myself I tend to listen to my customers when they offer constructive criticism when it comes to reaching a larger market.

As mentioned, I need to have a product that...

1) Can be programmed with a password of my own choice for my needs.
2) Can use caricatures that I choose based on my companies requirements.
3) Stores the password in a manner that prevents the user from altering it.

Its obvious that the Yubikey can not fulfill the first 2 requirements, contrary to your argument that it can...because you keep inserting the catch word "arbitrary". Again, I may not be an "expert" IT person from your perception, however I have spent over 6 hours trying to program the key with a password of my own choice and its simply not possible....PERIOD

In my last post I gave the string Example: 7iLd=R0mKS*wsU$c4Gonbl}P0&i>&ok[ as what I need to program the key with so that when inserted into a computer it outputs that exact same string.

Sorry if my post seams rude, but your replies so far are implying that I can program the key (per my needs), but you always insert "exceptions" that sidestep the requirements that I have outlined. Either I can program the key with my own CHOSEN password, OR I cant......So far I cant.

If I am incorrect in the above statement than PLEASE, either explain how I can do this or simply admit that it cant be done (without any "caveats")......and I will either purchase more keys once I can program it per my needs, or I will stop wasting your time here and find a product that can perform tasks 1-3 as noted above.

Statistics: Posted by Lain_ — Sun Nov 29, 2009 8:52 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-11-29T12:44:59+01:00

I feel a bit lost here. You can do that on the V2 keys (not on the V1 keys) - with the caveat that it may may not work on all keyboard layouts. That's not very much we can do anything about as the translation from scan codes and a specific keystroke is done by the OS.

The "scan code" mode password does just exactly that and allows you to create an arbitrary string of up to 16 characters.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

Statistics: Posted by Jakob — Sun Nov 29, 2009 12:44 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-11-28T21:49:47+01:00

Quote:

Please let me know if there is something I've missed here.

Its a very simple one, your product produces the password in static mode. This severely limits its use with applications where the password, or "key" has already been implemented or with products where it produces the pass phrase.

A simple example is one that I read on this very forum....A Wireless router. I cant speak for all brands, but my router lets me select a "mode" of encryption (WEP , WAP) etc, and then automatically generates a series of keys...Much like how your product works. If a person does not wish to store this information on say a wireless laptop and wants to use the Yubikey for manual insertion of that pass phrase than they can not use your product....at least not a way that I can figure out. I fully admit that I am not a "professional" coder, and maybe I am missing something here.

This is just one basic example of why the Yubikey should be able to be programmed with my own password rather than relying on your system to make one. For instance I have a web based CRM system that will be accessed by some of my business partners. The system already automatically generates a long 32 caricature user ID string that uniquely identifies each user. This ID is also used to manage the account and link other data that requires the ID string to remain static as I have bridged multiple systems together and that unique ID sting is used throughout the system to manage data for that user as well. The entire process is automatic when a new user is created and makes a phrase like this one Example: 7iLd=R0mKS*wsU$c4Gonbl}P0&i>&ok[

I had planned on programming the Yubikey with the ID string and use it as the password for access. In my case, I would have to manually access every bridged system and change the ID string to match what your configuration tool gives me, rather than the other way around. For obvious reasons that is not practical. My CRM uses other methods to help secure the server such as GEOIP location, user agents ID, DPI (deep packet inspection) and proxy detection so at least for my use some of your advanced "features" are not desirable or applicable. Also I do NOT want to implement the use of your authentication server to validate my key since I wish to have complete control in house.

So while I think this product is great, and I may still yet find a method to apply it to my existing systems, the inability to use my own static passwords makes it hard to implement without fundamentally rewriting how my system works......Not to mention the problems of implementing it for use where a user is not able to supply the pass phrase, such as the case of the Yubikey 2.0. I believe that you may find more customers using your product if you simply offer them the option rather than imposing your own restrictive configuration tool.

As mentioned, I watched YOUR video where it clearly showed how to insert your own static password, (obviously outdated) and it was that EXACT feature I was drawn too. I did read the PDF user manual before purchase, admittedly rather quickly but nowhere did it state that the version 2.0 Yubikey would NOT allow me to use that function. You should remove that video from your YouTube channel and replace it with a current one.

OR, as I am some others would agree....return the function that allows me to program the key per my requirements or needs. While its obvious that your product is intended to produce the most secure tool you can, I think that you may have "over-engineered" the process and limited its application to those like myself who wish to use it as just one part of a larger security/authentication system.

Statistics: Posted by Lain_ — Sat Nov 28, 2009 9:49 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-11-27T01:21:24+01:00

I'm not perfectly sure I understand the issue here.

An arbitrary password can be set by using the "Scan code mode". This mode however is suceptible to different keyboard layouts so if you're fine with a 32+ character password, we recommend users to have the Modhex mode.

One can of course ask - Why not simply use an arbitrary 32+ Modhex password ? This is a V1 Yubikey limitation and also an intent to be able to use the validation server with static keys. Yes - you'll get a replay error after the second submitted, but it works.

Regarding the entropy and the security: The password generated is an encrypted output of the data generated by the configuration tool. If you use the random function provided by the configuration tool, a random number is generated using the Windows CryptGenRandom function. I beleive the function is FIPS/EAL4 certified and unless you're running Windows 2000, it should fulfil most needs.

The output is an AES encrypted Modhex string using this randomized key and an equally randomized UID as input. If you have a 32 character output string selected, you'll get an entropy of 32 x 4 = 128 bits. The AES encryption will just obfuscate it all a bit more.

As we have a 16-byte binary string as the foundation for the output, we will very likely get repeated characters. Not very strange as the probability of a byte being 0x00, 0x11, 0x22, 0x33.... 0xee, 0xff is 1/16. Given that we have 16 bytes in the output - the probablility is close to 100% that you get at least one occurance of repeated characters in the string.

The bottom line here is that the entropy is what makes up the password complexity, not the occurence of repeated characters or mix between upper- and lower case letters. This of course assumes that the password length is not an issue. If you're limited to 8 characters, it's a different story.

I won't go into details here, but I cannot possibly see how anyone could argue against an 128-bit entropy password not being strong enough. As 2^128 is approx 10^38 it should be obvious that a brute force attack is not possible for any application whatsoever.

Please let me know if there is something I've missed here.

Witht the best regards,

Jakob E
Hardware- and firmware guy @ Yubico

Statistics: Posted by Jakob — Fri Nov 27, 2009 1:21 am

Re: Using the YubiKey 2.0 purely for static mode

2009-11-26T18:49:02+01:00

I would have to (respectfully) concur with the original post here.

The use of this key for all intensive purposes is useless to my needs as well, and quite frankly I am a bit upset. I watched your YouTube video on setting static passwords and it CLEARLY showed you inserting your own static password into the key....albeit one generated from the GRC website. Now after getting 3 of these keys I find that not only can I NOT insert my own "chosen" password I can not even use more than 1 special caricature other than " ! "

I am exceptionally disappointed that a feature that WAS shown on your video is NOT a feature on the keys I have now.
At least for me, the best part of what your product USED to offer is now gone......Personally, I believe this to be a major mistake on your developers behalf.

For my business network I wished to use these for admin access to network systems where my Group Policy REQUIRES a level of complexity with mixed Upper, Lower, Numbers and special caricatures of a specified length. I currently have it set to 12 caricatures but wished to increase the length to 32 caricatures which is simply too long to remember....or brute force.

Thankfully they are not expensive, and I only purchased 3 for testing purposes so its not a huge deal. However I was looking to use these for my new network system that may eventually include up to 1000+ users and due to how I wished to manage the keys I will have to seriously re-think this product as it clearly has design limitations that prevent me from using it as I intended....Back to the drawing board.

The other issue that bothers me is that when I allow the key to be programmed with a static password, the one it generates ALWAYS has MULTIPLE repetitive caricatures like the one below......Compared to the GRC's random generator your has much to be desired.

Example generated key: L82Rdcjbllnldhdknjlfuktdtdjlgukkcgtklhedgfhjecibdibukuejicvknneb

Statistics: Posted by Lain_ — Thu Nov 26, 2009 6:49 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-08-17T16:18:26+01:00

The new YubiKey 2.0 provides an interesting feature called "Strong password policy" where we can program the YubiKey to generate very long static passwords with upper, lower case letters, numbers and an "!" special character. We need to use the new Yubico configuration utility to utilize this feature. The new Yubico configuration utility and the user manual can be downloaded from the following link:

http://www.yubico.com/developers/personalization/

For using this feature follow the steps given below:

Selecting all the options of the "Strong password policy" will result in the generation of a similar static password as given below:

!2VUr4jlkkcrdfkvvetgebluutccubjieblkruculrijglgejdn

We hope this helps!

Statistics: Posted by network-marvels — Mon Aug 17, 2009 4:18 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-08-15T16:10:21+01:00

Thanks for that information. However, are there any plans to change this ideally in some sort of firmware update. As to be honest I've just received two YubiKeys purely for the purpose of using for static passwords of at least 40 characters upper, lower, numeric and special and 16 characters isn't any use to me, so it looks like I have 2 beautifully made, very secure devices that are completely useless to me.

Please don't key me wrong, it's my fault as this information is available on the boards and you provide your manual to download, I stupidly inferred these features from listening to Security Now, without clarifying my understanding first.

If you can't update the firmware could I humbly suggest you consider a YubiKey 3 - Basic model which I suspect if marketed properly would out sell all your other models. All it would do is allow users to set a long password of any acceptable character, ideally storing perhaps 3 depending on the type of touch 1 tap for the first 1 two quick taps for the second 3 taps for the 3rd.
And by default to return character at the end, encouraging users to enter their own pin at the end. These could then be used for email access, on-line banking and storing WPA keys.

Although not as secure as one time passwords, they are instantly compatible with any existing system, simple to undestand and absolutely ideal to distribute between family members and friends to encourage them to be far more safe with their banking etc - although admittedly key loggers are still a problem.

Without doubt your products are great just unfortunately no use form my particular needs, so assuming there is no firmware update solution, if there is anyone in the UK that wants two free YubiKeys I'm happy to pass them on.

David in Edinburgh, Scotland
Security Now listener

Statistics: Posted by FringeFrenzy — Sat Aug 15, 2009 4:10 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-08-08T12:05:35+01:00

For compatibility (Yubikey 1) reasons, we've limited the number of characters in scan code mode to 16. As all characters (not just Modhex characters) can be used in this mode, we thought this should be enough.

Regards,

JakobE
Hardware- and firmware guy @ Yubico

Statistics: Posted by Jakob — Sat Aug 08, 2009 12:05 pm

Re: Using the YubiKey 2.0 purely for static mode

2009-08-08T09:12:33+01:00

Thanks.

Is there a way to store more than 16 characters?

And how do I use the config 1 for static, and config 2 for logging in to yubico?

Statistics: Posted by bason — Sat Aug 08, 2009 9:12 am

Re: Using the YubiKey 2.0 purely for static mode

2009-08-05T15:40:49+01:00

The YubiKey 2.0 provides an interesting feature where we can program it to emit our desired password. The Yubico personalization utility 2.0 provides an option called "Scan code mode" in the static password configuration. The scan code mode provides a mechanism to generate a string based on any arbitrary keyboard scan code. Just select the "Scan code mode" option and punch in your password in the scan code input field. After programming the YubiKey, it will emit the password punched by you. The scan code mode allows to generate up to 16 characters password.

You can download the latest Yubico personalization utility and user guide from the following link:

http://www.yubico.com/developers/personalization/

We hope this helps!

Statistics: Posted by network-marvels — Wed Aug 05, 2009 3:40 pm