I am trying to understand how to implement OTP validation in a PHP web application which has no internet access, so it must not use the online Yubico validation server.
I am not much concerned with the actual code, rather with the logical flow validation must follow.
Suppose that a YubiKey is configured as follows:
Code:
Public ID: dd kg ub uh uh rv
Private ID: 54 e6 a5 4a cd 40
AES Key: b3 e1 86 d6 89 39 cb 99 8b 73 be 4b 8a 21 23 b9
And that the web-app recieves the following OTP:
Code:
ddkgubuhuhrvnclikhifnkbeifiuihdkkbcdgrlubvdg
How do I then proceed validating it?
Until now, here is what I have done:
1. split the OTP in Public ID (ddkgubuhuhrv) and actual OTP (nclikhifnkbeifiuihdkkbcdgrlubvdg)
2. convert OTP from ModHex to binary, by first "translating" it to standard hexadecilmal and then to binary
3. decode the binary using the AES key, obtaining a new binary string
But now, how do I go on?
I have read the manual that I should perform a CRC16 check, so I found a PHP implementation of it, but on which string should I call it? And after that?
Thanks in advance for your help.Statistics: Posted by mtassinari — Thu Jun 06, 2013 3:32 pm
]]>