Yubico Forum

Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature

2014-03-04T10:19:56+01:00

Hello,

That site isn't doing base64 decoding of your key..

Let's do a little example..

We're using id 15618 and key Eibja2kRFXXoW6hjZaiyBtWnCBA=
With the string id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge quickhash.com gives us XsQI1OJZ+R0KsAokpdAAhHQQavQ= but the correct signature is Jt19GpDOAraTYRFBHSofYZFEwjE=

https://api.yubico.com/wsapi/verify/2.0 ... ofYZFEwjE=
https://api.yubico.com/wsapi/verify/2.0 ... AAhHQQavQ=

and finally some perl code:

Code:

#!/usr/bin/perl

use Digest::SHA qw(hmac_sha1);
use MIME::Base64;

my $key = decode_base64("Eibja2kRFXXoW6hjZaiyBtWnCBA=");
my $string = "id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge";
my $sig = encode_base64(hmac_sha1($string, $key));
$string .= "&h=$sig";
warn $string;

/klas

Statistics: Posted by Klas — Tue Mar 04, 2014 10:19 am

Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature

2014-02-19T13:35:29+01:00

While being thankful for your reply, I'm afraid that I cannot use it for anything, since I've already read the guide from where you copy/pasted the steps.
I followed every step the best I could, but still nothing.

Statistics: Posted by raj — Wed Feb 19, 2014 1:35 pm

Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature

2014-02-19T13:28:55+01:00

The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key.

Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), and sorted in alphabetical order of the keys. More precisely, to generate a message signature do:

1- Alphabetically sort the set of key/value pairs by key order.
2- Construct a single line with each ordered key/value pair concatenated using '&', and each key and value contatenated with '='. Do not add any linebreaks. Do not add whitespace. For example: `a=2&b=1&c=3`.
3- Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key.
4- Base 64 encode the resulting value according to RFC 4648, for example, `t2ZMtKeValdA+H0jVpj3LIichn4=`.
5- Append the value under key 'h' to the message.[/list]

Statistics: Posted by Tom — Wed Feb 19, 2014 1:28 pm

Validation Protocol Version 2.0 - HMAC-SHA1 signature

2014-02-19T09:42:54+01:00

I got the protocol working pretty first, so that's all good. But for increased security, we'd like to add the 'h' parameter to the url, but no matter what I try, I always get the response "BAD_SIGNATURE".

As for now, I am using this site to generate the signature: https://quickhash.com/ Algorithim is SHA1 with "Use HMAC Method?" checked and output set to Base64.
The HMAC key I use is the 'Secret Key' I get from https://upgrade.yubico.com/getapikey/.
The id parameter in the url is also from the /getapikey site.

If I input this in the quickhash input box: id=15401&nonce=askjdnkajsndjkasndkjsnad&otp=ccccccdbrldiifthrjbbjlvgkcguceiheninhbubtgil
And then click generate I get this output: by7jCdAlZI1osGspmzHIGQEjnZ4=

So I go to this url: http://api.yubico.com/wsapi/2.0/verify? ... HIGQEjnZ4=

And get this response:
h=vA0nh/B/o/NqgjbaTiwFdP7QBFU=
t=2014-02-19T08:39:59Z0949
status=BAD_SIGNATURE

Any and all help would be appreciated!

Statistics: Posted by raj — Wed Feb 19, 2014 9:42 am