Yubico Forum ...visit our web-store at 2015-03-16T11:56:07+01:00 https://forum.yubico.com/feed.php?f=26&t=1788 2015-03-16T11:56:07+01:00 2015-03-16T11:56:07+01:00 https://forum.yubico.com/viewtopic.php?t=1788&p=7039#p7039 <![CDATA[Re: OTOH and Challenge Response Clarification]]>
Thank you for the clarification :-)

-=david=-

Statistics: Posted by dharrigan — Mon Mar 16, 2015 11:56 am

]]> 2015-03-16T11:05:35+01:00 2015-03-16T11:05:35+01:00 https://forum.yubico.com/viewtopic.php?t=1788&p=7038#p7038 <![CDATA[Re: OTOH and Challenge Response Clarification]]>
If you are using the Yubico Authenticator you are not using that TOTP helper app, rather the OATH applet on the Yubikey NEO

You are right that the webpage is misleading we will fix it.

Statistics: Posted by Tom2 — Mon Mar 16, 2015 11:05 am

]]> 2015-03-16T10:47:32+01:00 2015-03-16T10:47:32+01:00 https://forum.yubico.com/viewtopic.php?t=1788&p=7037#p7037 <![CDATA[Re: OTOH and Challenge Response Clarification]]>
Thank you for your reply. I got the information directly from the website, referenced here:

https://www.yubico.com/applications/int ... ces/gmail/

and to quote:

Quote:

Therefore, to create a TOTP response using the YubiKey, Yubico has developed a small application which sends the current time to the YubiKey set-up for HMAC-SHA1 challenge/response. The application sends the current time in the OATH-TOTP format and receives back the 160 bit HMAC-SHA1 hash. This is then processed as per the OATH-TOTP spec to produce either a 6 or 8 digit number.


It alludes that CR is used (specifically HMAC-SHA1).

I've probably misunderstood the information presented, but that's how it reads.

-=david=-

Statistics: Posted by dharrigan — Mon Mar 16, 2015 10:47 am

]]> 2015-03-16T09:59:16+01:00 2015-03-16T09:59:16+01:00 https://forum.yubico.com/viewtopic.php?t=1788&p=7035#p7035 <![CDATA[Re: OTOH and Challenge Response Clarification]]>

OATH (TOTP HOTP) they have nothing to do with the HMAC-SHA1.

The OATH applet on your NEO will be fed with time from your OS and spit out TOTP codes.

The Challenge Response works in a different way over HID not CCID. An example of CR is KeeChallenge for KeePass where the Yubikey secret is used as part of the key derivation function.
Another application using CR is the Windows logon tool

The Yubico Authenticator does not use CR in any way.

Statistics: Posted by Tom2 — Mon Mar 16, 2015 9:59 am

]]> 2015-03-15T16:10:40+01:00 2015-03-15T16:10:40+01:00 https://forum.yubico.com/viewtopic.php?t=1788&p=7033#p7033 <![CDATA[OTOH and Challenge Response Clarification]]>
If I understand it correctly, the Yubico Authenticator sends the current time to the Yubikey Neo (I have fw version 3.3.0) as a challenge response and gets back a response which is then used to generate the digits.

My question is this, when I plug my Yubikey into the Personalization Tool, and click on Tools/Challenge-Response Tester, and choose either slot 1 or slot 2, I get this error:

"Challenge response could not be performed. Perhaps they YubiKey is not configured for challenge-response?"

So, how does the Yubico Authenticator get my YubiKey to honour a challenge-response request? I'm obviously missing something in my understanding! :-)

btw, I'm successfully using the Yubico Authenticator and is working as expected.

Thank you.

-=david=-

Statistics: Posted by dharrigan — Sun Mar 15, 2015 4:10 pm

]]>