I can't seem to easily find "official" specifications for..
1. the generation of, and structure of, the YubiKey's emitted One Time Password (OTP) [this also appears to be referred to as a "textual token" in some docs],
2. the USB-level commnications _to_ the YubiKey, e.g. for re-initializing the AES key,
3. the validation server protocol.
Now, I realize that there is an accounting of (1) in Simon's YubiKey Security Review (http://www.yubico.com/files/YubiKey_Security_Review.pdf), but that isn't a properly a specification.
Also, (3) is described in the Web Services API page (http://yubico.com/developers/api/) -- is that the only such protocol spec at this time?
For (2), I've looked in the source code for the "Yubico Personalization Library" and don't see any docs or specs there. From the code it seems that a generic HID device (which the YubiKey is) supports two-way communication, and so what one would be looking for in this case is an enumeration of what "commands" and "data" one can send to the YubiKey over USB and what its repsonses ought to be.
Are any of the above documented anywhere other than where I've already noted?
thanks,
=JeffHStatistics: Posted by =JeffH — Sat Dec 20, 2008 12:30 am
]]>