Yubico Forum ...visit our web-store at 2008-06-19T09:42:26+01:00 https://forum.yubico.com/feed.php?f=5&t=48 2008-06-19T09:42:26+01:00 2008-06-19T09:42:26+01:00 https://forum.yubico.com/viewtopic.php?t=48&p=320#p320 <![CDATA[Re: I'm not entirely sure that I understand how the server...]]>
Quote:

In point 2 you say: "Use this prefix to check up in the database which
AES key this particular ID has"
Will this lookup be in the local database or in a remote database? If
it will be local does the database need to be synchronized?


The lookup is done in the local database. The intention is that you only ever store the AES key in just one database, so there is no need to synchronize anything. If you need to validate OTPs from any other place, you should use the web service client API instead of trying to decrypt the OTP.

I hope this answers the question.

Thanks,
Simon

Statistics: Posted by Simon — Thu Jun 19, 2008 9:42 am

]]> 2008-05-20T20:08:12+01:00 2008-05-20T20:08:12+01:00 https://forum.yubico.com/viewtopic.php?t=48&p=54#p54 <![CDATA[I'm not entirely sure that I understand how the server...]]>
A: The OTP is not encrypted with the id. It is a separate symmetrical key, unique to each device. The basic principle to verify the blob is as follows:

1. Extract the public ID prefix (sent in clear text = the first characters - 32)
2. Use this prefix to check up in the database which AES key this particular ID has
3. Decrypt the OTP part using this key (last 32 characters = 128 bits)
4. Verify that the checksum matches
5. Verify that the private ID matche
6. Verify that the counter- and timer values match

Statistics: Posted by hrag — Tue May 20, 2008 8:08 pm

]]>