Yubico Forum ...visit our web-store at 2014-07-28T07:48:59+01:00 https://forum.yubico.com/feed.php?f=30&t=1425 2014-07-28T07:48:59+01:00 2014-07-28T07:48:59+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5444#p5444 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
You seem to be using the hmac-lt64 option when programming the YubiKey. When this option is in effect the challenge is limited to 63 bytes, but may be less and any challenge longer than 63 bytes will be truncated to 63.
I've verified with a 2.2.3 key and a piece of perl that it behaves correctly with challenges up to 63 bytes. There might be bugs in the yubico-python code, so it'd be good if you could verify with both that and the ykchalresp utility.

/klas

Statistics: Posted by Klas — Mon Jul 28, 2014 7:48 am

]]> 2014-07-18T10:01:45+01:00 2014-07-18T10:01:45+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5418#p5418 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
The Yubikey calculates an HMAC SHA1 with the challenge.

So this is roughly my verification code:

Code:
>>> hexkey="7b6b585de517c96560f5bd0db211ea58ba1500ca"
>>> import binascii
>>> import hashlib
>>> import hmac
>>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781"
>>> binascii.hexlify(hmac.new(binascii.unhexlify(hexkey), binascii.unhexlify(chal_hex), hashlib.sha1).digest())
'b8a53bf4d40db429029e89bfc5cd6057645b3ea6'


Indeed the 64 byte response of the python hmac libraray does not match the 64 byte response of the Yubikey.
The python HMAC lib and the Yubikey itself get the same responses for 32 byte, but not for 64 byte.
Thats bad, but at least I know the reason for this...

I tested this on Ubuntu 14.04LTS, with python 2.7.6.

Kind regards
Cornelius

Statistics: Posted by corny — Fri Jul 18, 2014 10:01 am

]]> 2014-07-18T09:40:22+01:00 2014-07-18T09:40:22+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5417#p5417 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
(Read to the end, before clicking links - I have the error (my error) narrowed down)

I am running this python code to initialize the yubikey:
https://github.com/privacyidea/privacyi ... yubikey.py

roughlty it does this in MODE_OATH and challenge_response==True:

Code:
Cfg = YK.init_config()
key = binascii.hexlify(os.urandom(20))
Cfg.mode_challenge_response('h:' + key, type="HMAC")
Cfg.ticket_flag('APPEND_CR', False)
Cfg.extended_flag('SERIAL_API_VISIBLE', True)
YK.write_config(Cfg, slot=slot)


which pretty much looks the same to me like this https://github.com/Yubico/python-yubico ... t_test_key:
Code:
Cfg = YK.init_config()
key='h:303132333435363738393a3b3c3d3e3f40414243'
fg.mode_challenge_response(key, type='HMAC', variable=True)
Cfg.extended_flag('SERIAL_API_VISIBLE', True)
YK.write_config(Cfg, slot=slot)


But still it does not work out for me. The command line tool creates another response, than my python program does...
Code:
% ykchalresp -2 -H -x 175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781
2008b987214e073127006e4166ef189242dbf035


OK, using my initialized key with some very basic python code:
Code:
cornelius@puckel ~/src/privacyideaadm (git)-[master] % python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import yubico
>>> import sys
>>> YK=yubico.find_yubikey()
>>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781"
>>> import binascii
>>> chal = binascii.unhexlify(chal_hex)
>>> YK.challenge_response(chal, slot=2)
" \x08\xb9\x87!N\x071'\x00nAf\xef\x18\x92B\xdb\xf05"
>>> binascii.hexlify(YK.challenge_response(chal, slot=2))
'2008b987214e073127006e4166ef189242dbf035'
>>>


Well! This looks fine and produces the same response! So now I know the following:

1. My initialization is working fine.
2. My Yubikey is working fine
3. My response verification code has a problem with challenges larger than 32 bytes....

Thanks for you patience and help.
I will look into this.

Kind regards
Cornelius

Statistics: Posted by corny — Fri Jul 18, 2014 9:40 am

]]> 2014-07-18T07:23:11+01:00 2014-07-18T07:23:11+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5414#p5414 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
program the yubikey with the GUI

Could you use our Python code https://github.com/Yubico/python-yubico ... e_response

also, what version is your Yubikey firmware?

Statistics: Posted by Tom — Fri Jul 18, 2014 7:23 am

]]> 2014-07-14T11:21:45+01:00 2014-07-14T11:21:45+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5404#p5404 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
this test runs perfectly. But this challenge is <=32bytes.

And as soon as I use a challenge >32btes <=64bytes the python code does not produces the same result as the ykchalresp!

Kind regards
Cornelius

Statistics: Posted by corny — Mon Jul 14, 2014 11:21 am

]]> 2014-07-14T10:41:13+01:00 2014-07-14T10:41:13+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5403#p5403 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
http://opensource.yubico.com/yubikey-pe ... esp.1.html

Statistics: Posted by Tom — Mon Jul 14, 2014 10:41 am

]]> 2014-07-14T09:54:31+01:00 2014-07-14T09:54:31+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5402#p5402 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
yes, I read this, but when I use 64bytes, it does not work - while it works fine with 32bytes.
I am willing to provide you any additional information!

Kind regards
Cornelius

Statistics: Posted by corny — Mon Jul 14, 2014 9:54 am

]]> 2014-07-14T09:01:02+01:00 2014-07-14T09:01:02+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5399#p5399 <![CDATA[Re: [SOLVED] ykchalresp: Can not get the same response in py]]>
HMAC-SHA1 challenge-response
This method allows a challenge of up to 64 bytes (512 bits) to be
hashed using the HMAC-SHA1 algorithm with a 20-byte (160 bits)
secret

Statistics: Posted by Tom — Mon Jul 14, 2014 9:01 am

]]> 2014-07-13T07:33:56+01:00 2014-07-13T07:33:56+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5397#p5397 <![CDATA[[SOLVED] Re: ykchalresp: Can not get the same response in py]]>
Why does 32byte challenges work although the yubikey claims to process 64 byte challenges?

Code:
cornelius@puckel ~/src/python-yubico/examples (git)-[master] % python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hmac
>>> import binascii
>>> import hashlib
>>> import os
>>> key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32"
>>> chal = os.urandom(32)
>>> print binascii.hexlify(chal)
d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873
>>> hmac.new(binascii.unhexlify(key), chal, hashlib.sha1).hexdigest()
'c7f7a081d06a738f913dce36b538091adc6d2e93'
>>> quit()
cornelius@puckel ~/src/python-yubico/examples (git)-[master] % ykchalresp -2 -x d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873
c7f7a081d06a738f913dce36b538091adc6d2e93


So I need to be content with 32 bytes.

Kind regards
Cornelius

Statistics: Posted by corny — Sun Jul 13, 2014 7:33 am

]]> 2014-07-13T07:34:51+01:00 2014-07-12T20:44:45+01:00 https://forum.yubico.com/viewtopic.php?t=1425&p=5396#p5396 <![CDATA[[SOLVED] ykchalresp: Can not get the same response in python]]> I am playing around with the yubikey in challenge response and try to reproduce it in python.

I initialize the yubikey like this:
Code:
# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Firmware version 2.2.3 Touch level 1795 Program sequence 3

Passphrase to create AES key: lsjdkflksdjf
Configuration data to be written to key configuration 2:

fixed: m:
uid: n/a/
key: h:a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32
acc_code: h:000000000000
OATH IMF: h:0
ticket_flags: CHAL_RESP
config_flags: CHAL_HMAC|HMAC_LT64
extended_flags: SERIAL_API_VISIBLE


I take it, that a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32 is the stored hmac key.

Now I run:
Code:
ykchalresp -2 -x 57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a
cef9198f3a2d9a378289096da646b7c165090d60


Simuliation this in python I get another response:

Code:
import hmac
import binascii
import hashlib
key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32"
chal = "57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a"
hmac.new(binascii.unhexlify(key), binascii.unhexlify(chal), hashlib.sha1).hexdigest()
'd8352dc4a5ce33639801fb2e2fa87444dbcae55e'


What am I missing here?

Thanks a lot and kind regards
Cornelius

Statistics: Posted by corny — Sat Jul 12, 2014 8:44 pm

]]>