Yubico Forum

It seems that new personalization tool can generate more than 44 character length OTP. This issue happens when 12 character length Yubikey ID is entered. If the Yubikey ID is 6 character length, normal OTP ( 44 characters) is generated.

I understand that the value for Yubikey ID field shall be "Plain Text" and its length shall be 6 (such as "ABCDEF"). Is it correct ?

It is correct that the new personalization tool can generate passwords having more than 44 characters. The length of the generated password depends on the number of characters in the YubiKey ID.

The “YubiKey ID” field accepts alphanumeric as well as special characters and it has a maximum length of 12 characters.

For example,
“Adv12Rf#rt%!”

If we are using YubiKey to generate a one-time password for validating it against the Yubico Validation server, the “YubiKey ID” should be maximum 6 characters.

If we are using YubiKey to generate a static password, the “YubiKey ID” can be up to 12 characters.

Thanks for your explanation.

By the way, according to the User Guide, a static password is generated at the key programing. Could you show us how a static password will be composed ?

The field for entering the Yubikey ID in the new configuration tool has the following language below the entry box:

"Yubikey ID: The fixed, unique first 12 chars of the OTP"

From this one might expect that one should enter 12 modhex digits in this box which would become the Yubikey ID. However, according to this thread one is to enter 6 ASCII characters to produce a OTP (with a 12 character modhex unique ID) and up to 12 ASCII characters to produce a static password with a longer unique ID. (Would 12 ASCII characters produce a 24 modhex character unique ID?)

The field for entering the Yubikey AES Key has the following language below the entry box:

"Yubikey AES Key: Enter new AES key for your Yubico token"

That box will only accept 16 characters. However, the AES key shown in the Yubico Management Service database shows three versions of each secret key--a 24 character b64 key, a 32 character hex key, and a 32 character modhex key.

It appears that the terms Yubikey ID and Yubikey AES Key are being used differently in the configuration tool than in the YMS and I believe this causes confusion. At least it does for me. Perhaps this is more obvious to others, but I think it would be helpful to use the terms consistently.

This is further complicated by the fact that the entry box for adding a YK to the YMS requests the Yubikey tokenID in base64 but will only function if it's entered in modhex. The "AES Secret" box doesn't specify the format, but apparently also only functions with modhex.

This leads to the question--If I want to reprogram a YK for OTP use and enter its information into the YMS, how do I determine its AES Key in a format that I can enter into the YMS? I realize that YKs are read only so I assume that I have to determine the key during the programming.

Thanks.

Dick

I also found the interface and manual to be confusing. I discovered (only by trial and error) that I needed to enter the ID and AES key in ASCII to program my key using the Personalization tool.

There is no mention in the manual of modhex, I realise that this may have been intentional to keep things 'less complicated' for your average Personalization tool user. But as modhex is what the Yubikey generates, users may wonder why the 6 character ASCII ID they entered using the tool, appears as 12 seemingly unrelated characters when emitted from the Yubikey.

A great improvement on the previous tool though, any news on the new libUsb version?

Thanks for your valuable inputs!

There are some inconsistencies with the "YubiKey ID" and "YubiKey AES Key" terms used in the Yubico Management Server and the Yubico Personalization Tool.
We will fix these issues in the next release of the Yubico Management Server and the Yubico Personalization Tool.

We have to enter the "YubiKey tokenID" field in the modhex format and the "AES Secret" field in the base64 format, when we add the new YubiKey to the Yubico Management Server.

You are correct and my post was in error with respect to the AES Secret field which does, as you point out, require base64. Part of the confusion is caused by the fact that the Yubikey tokenID specifically asks for base64 but only accepts modhex.


Any chance of an answer to this question?

Thanks.

Dick

Hi,

There are inconsistencies with the format of the values of the "YubiKey ID" and "YubiKey AES Key" while entering them to the YMS database.

We will fix this issue in the next release of the Yubico Management Server.

While reprogramming the YubiKey using the Yubico Personalization Tool, if you don’t want to change the original values for the “YubiKey ID” and the “YubiKey AES Key” (configured by Yubico while shipping), you need to get the original YubiKey ID and YubiKey AES Key information from the Yubico Management System (YMS). Please refer to the Yubico website for additional details on retrieving this information.The Yubico Management server provide this information in b64, hex and modhex format.

The Yubico Personalization Tool accepts values for the “YubiKey ID” and the “YubiKey AES Key” in ASCII format. So you have to change the original values retrieved from the Yubico Management Server to the ASCII format before entering them to the Yubico Personalization Tool.

If you want to reprogram your YubiKey with different values for the “YubiKey ID” and the “YubiKey AES Key” using the Yubico Personalization Tool, you need to enter these values in ASCII as the Yubico Personalization Tool accepts values for the “YubiKey ID” and the “YubiKey AES Key” in ASCII format.

If you want to update the reprogrammed values to the Yubico Management Server, you need to change the “YubiKey ID” value to modhex from ASCII and the “YubiKey AES Key” value to base64 from ASCII. Enter the converted modhex value of the YubiKey ID and the base64 value of the YubiKey AES Key to the Yubico Management server.

You can use any of the online conversion tools available to change the format of the values.

We hope this answers your question.

Feel free to write back to us in case you face any problems.

Thanks. I'll give that a try.

This will be a good refresher course in the different ways of representing data. It's been a while since I've had reason to do this, but learning or relearning is always a good thing. Fortunately, I've recently retired so I've now got some time to do this.

Regards,

Dick

A new version of Yubico Personalization tool for Windows (Beta) which accepts hex values for YubiKeyID and Yubico AES Key is now available for download. The installer and the user guide can be downloaded from:

http://www.yubico.com/developers/personalization/