Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:47 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Tue Jan 20, 2009 7:54 am 
Offline

Joined: Tue Jan 20, 2009 7:47 am
Posts: 6
It seems that new personalization tool can generate more than 44 character length OTP. This issue happens when 12 character length Yubikey ID is entered. If the Yubikey ID is 6 character length, normal OTP ( 44 characters) is generated.

I understand that the value for Yubikey ID field shall be "Plain Text" and its length shall be 6 (such as "ABCDEF"). Is it correct ?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jan 20, 2009 12:57 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
It is correct that the new personalization tool can generate passwords having more than 44 characters. The length of the generated password depends on the number of characters in the YubiKey ID.

The “YubiKey ID” field accepts alphanumeric as well as special characters and it has a maximum length of 12 characters.

For example,
“Adv12Rf#rt%!”

If we are using YubiKey to generate a one-time password for validating it against the Yubico Validation server, the “YubiKey ID” should be maximum 6 characters.

If we are using YubiKey to generate a static password, the “YubiKey ID” can be up to 12 characters.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 21, 2009 1:23 am 
Offline

Joined: Tue Jan 20, 2009 7:47 am
Posts: 6
Thanks for your explanation.

By the way, according to the User Guide, a static password is generated at the key programing. Could you show us how a static password will be composed ?


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 22, 2009 12:52 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
The field for entering the Yubikey ID in the new configuration tool has the following language below the entry box:

"Yubikey ID: The fixed, unique first 12 chars of the OTP"

From this one might expect that one should enter 12 modhex digits in this box which would become the Yubikey ID. However, according to this thread one is to enter 6 ASCII characters to produce a OTP (with a 12 character modhex unique ID) and up to 12 ASCII characters to produce a static password with a longer unique ID. (Would 12 ASCII characters produce a 24 modhex character unique ID?)

The field for entering the Yubikey AES Key has the following language below the entry box:

"Yubikey AES Key: Enter new AES key for your Yubico token"

That box will only accept 16 characters. However, the AES key shown in the Yubico Management Service database shows three versions of each secret key--a 24 character b64 key, a 32 character hex key, and a 32 character modhex key.

It appears that the terms Yubikey ID and Yubikey AES Key are being used differently in the configuration tool than in the YMS and I believe this causes confusion. At least it does for me. Perhaps this is more obvious to others, but I think it would be helpful to use the terms consistently.

This is further complicated by the fact that the entry box for adding a YK to the YMS requests the Yubikey tokenID in base64 but will only function if it's entered in modhex. The "AES Secret" box doesn't specify the format, but apparently also only functions with modhex.

This leads to the question--If I want to reprogram a YK for OTP use and enter its information into the YMS, how do I determine its AES Key in a format that I can enter into the YMS? I realize that YKs are read only so I assume that I have to determine the key during the programming.

Thanks.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 22, 2009 10:43 am 
Offline

Joined: Wed Jun 18, 2008 6:51 pm
Posts: 19
I also found the interface and manual to be confusing. I discovered (only by trial and error) that I needed to enter the ID and AES key in ASCII to program my key using the Personalization tool.

There is no mention in the manual of modhex, I realise that this may have been intentional to keep things 'less complicated' for your average Personalization tool user. But as modhex is what the Yubikey generates, users may wonder why the 6 character ASCII ID they entered using the tool, appears as 12 seemingly unrelated characters when emitted from the Yubikey.

A great improvement on the previous tool though, any news on the new libUsb version?


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 22, 2009 11:17 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Dick wrote:
The field for entering the Yubikey ID in the new configuration tool has the following language below the entry box:

"Yubikey ID: The fixed, unique first 12 chars of the OTP"

From this one might expect that one should enter 12 modhex digits in this box which would become the Yubikey ID. However, according to this thread one is to enter 6 ASCII characters to produce a OTP (with a 12 character modhex unique ID) and up to 12 ASCII characters to produce a static password with a longer unique ID. (Would 12 ASCII characters produce a 24 modhex character unique ID?)

The field for entering the Yubikey AES Key has the following language below the entry box:

"Yubikey AES Key: Enter new AES key for your Yubico token"

That box will only accept 16 characters. However, the AES key shown in the Yubico Management Service database shows three versions of each secret key--a 24 character b64 key, a 32 character hex key, and a 32 character modhex key.

It appears that the terms Yubikey ID and Yubikey AES Key are being used differently in the configuration tool than in the YMS and I believe this causes confusion. At least it does for me. Perhaps this is more obvious to others, but I think it would be helpful to use the terms consistently.

This is further complicated by the fact that the entry box for adding a YK to the YMS requests the Yubikey tokenID in base64 but will only function if it's entered in modhex. The "AES Secret" box doesn't specify the format, but apparently also only functions with modhex.

This leads to the question--If I want to reprogram a YK for OTP use and enter its information into the YMS, how do I determine its AES Key in a format that I can enter into the YMS? I realize that YKs are read only so I assume that I have to determine the key during the programming.

Thanks.

Dick


Thanks for your valuable inputs!

There are some inconsistencies with the "YubiKey ID" and "YubiKey AES Key" terms used in the Yubico Management Server and the Yubico Personalization Tool.
We will fix these issues in the next release of the Yubico Management Server and the Yubico Personalization Tool.

We have to enter the "YubiKey tokenID" field in the modhex format and the "AES Secret" field in the base64 format, when we add the new YubiKey to the Yubico Management Server.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 23, 2009 2:42 am 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
network-marvels wrote:
We have to enter the "YubiKey tokenID" field in the modhex format and the "AES Secret" field in the base64 format, when we add the new YubiKey to the Yubico Management Server.

You are correct and my post was in error with respect to the AES Secret field which does, as you point out, require base64. Part of the confusion is caused by the fact that the Yubikey tokenID specifically asks for base64 but only accepts modhex.

Dick wrote:
This leads to the question--If I want to reprogram a YK for OTP use and enter its information into the YMS, how do I determine its AES Key in a format that I can enter into the YMS? I realize that YKs are read only so I assume that I have to determine the key during the programming.

Any chance of an answer to this question?

Thanks.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 23, 2009 3:33 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Hi,

There are inconsistencies with the format of the values of the "YubiKey ID" and "YubiKey AES Key" while entering them to the YMS database.

We will fix this issue in the next release of the Yubico Management Server.

While reprogramming the YubiKey using the Yubico Personalization Tool, if you don’t want to change the original values for the “YubiKey ID” and the “YubiKey AES Key” (configured by Yubico while shipping), you need to get the original YubiKey ID and YubiKey AES Key information from the Yubico Management System (YMS). Please refer to the Yubico website for additional details on retrieving this information.The Yubico Management server provide this information in b64, hex and modhex format.

The Yubico Personalization Tool accepts values for the “YubiKey ID” and the “YubiKey AES Key” in ASCII format. So you have to change the original values retrieved from the Yubico Management Server to the ASCII format before entering them to the Yubico Personalization Tool.

If you want to reprogram your YubiKey with different values for the “YubiKey ID” and the “YubiKey AES Key” using the Yubico Personalization Tool, you need to enter these values in ASCII as the Yubico Personalization Tool accepts values for the “YubiKey ID” and the “YubiKey AES Key” in ASCII format.

If you want to update the reprogrammed values to the Yubico Management Server, you need to change the “YubiKey ID” value to modhex from ASCII and the “YubiKey AES Key” value to base64 from ASCII. Enter the converted modhex value of the YubiKey ID and the base64 value of the YubiKey AES Key to the Yubico Management server.

You can use any of the online conversion tools available to change the format of the values.

We hope this answers your question.

Feel free to write back to us in case you face any problems.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 23, 2009 8:14 pm 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
Thanks. I'll give that a try.

This will be a good refresher course in the different ways of representing data. It's been a while since I've had reason to do this, but learning or relearning is always a good thing. :D Fortunately, I've recently retired so I've now got some time to do this.

Regards,

Dick


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 28, 2009 4:11 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
A new version of Yubico Personalization tool for Windows (Beta) which accepts hex values for YubiKeyID and Yubico AES Key is now available for download. The installer and the user guide can be downloaded from:

http://www.yubico.com/developers/personalization/


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group