Yubico Forum

Re: HMAC-SHA1 verification with C#

2014-02-04T08:19:40+01:00

Hello,

Yes, you need a buffer of 40 bytes, and for the reasons:
Each feature report packet is 8 bytes, of which 7 bytes is payload, which means that it should be enough with 32 bytes buffer for hmac-sha1, but: there is a two byte crc as well, which takes us into the next packet as well, so 40 bytes is needed for the response buffer.

Maybe this should be hidden from you by the library, but it isn't..

/klas

Statistics: Posted by Klas — Tue Feb 04, 2014 8:19 am

Re: HMAC-SHA1 verification with C#

2014-02-03T17:01:23+01:00

So I just dug into this a bit deeper and I think I found the issue. In ykchalresp.c, the response buffer is set to 64 bytes in length. Making this change in the C# invocation causes the entire response to get stuffed into the first 20 bytes of the 64 byte buffer. I'm not sure whether or not this is a bug (maybe it's a consequence of the yubikey's 64 byte buffer?), so I'd appreciate any input on why this is necessary.

Statistics: Posted by ChainReaktion — Mon Feb 03, 2014 5:01 pm

Re: HMAC-SHA1 verification with C#

2014-02-03T16:49:03+01:00

Good thought, I just checked and using the prebuilt binary the last 6 bytes are filled in properly. This strongly implies that I'm invoking the method improperly. I've declared the ykpers method as:

Code:

 [DllImport("libykpers-1-1.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.Cdecl)]
        public static extern int yk_challenge_response(IntPtr yk, byte yk_cmd, int may_block, uint challenge_len, byte[] challenge, uint response_len, byte[] response);

then calling it with

Code:

YubiWrapper.yk_challenge_response(yk, YubiWrapper.SLOT_CHAL_HMAC2, 1, 64, m_challenge, 20, m_response);

does that look reasonable to you? I'll keep digging to see what I'm doing wrong. Thanks!

Statistics: Posted by ChainReaktion — Mon Feb 03, 2014 4:49 pm

Re: HMAC-SHA1 verification with C#

2014-02-03T10:02:47+01:00

Hello,

Do you get the same behaviour using the ykchalresp binary shipped with ykpers?
I'm not directly familiar with the PInvoke methods, but how are you invoking the yk_challenge_response() method?

/klas

Statistics: Posted by Klas — Mon Feb 03, 2014 10:02 am

HMAC-SHA1 verification with C#

2014-02-02T23:37:25+01:00

I'm trying to do something similar to this comment: viewtopic.php?f=16&t=1078. I'm writing c# code to send a challenge to the yubikey and verify the response. I'm running the challenge through the System.Cryptography.HMACSHA1 class and comparing the response to the yubikey's output. I've configured the yubikey for a fixed 64 byte challenge to simplify things and it's almost working. The responses are identical except for the last 6 bytes from the yubikey, which are always 0x00. I'm calling the yubikey via the yk_challenge_response method of the ykpers library through PInvoke. Is there any reason this could be the desired behavior? I've looked over the yubikey-personalization code and I can't find any likely culprits. Thanks!

Statistics: Posted by ChainReaktion — Sun Feb 02, 2014 11:37 pm