Yubico Forum
https://forum.yubico.com/

[BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs
https://forum.yubico.com/viewtopic.php?f=26&t=1571
Page 1 of 1

Author:  flooded [ Sun Nov 02, 2014 10:46 am ]
Post subject:  [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

I recently purchased a YubiKey NEO to add hardware 2FA when logging in to Password Safe on my PC and Android phone. This NEO was error prone anytime I tried to use HMAC-SHA1 Challenge-Response when user input was required. In Password Safe when I attempted to add YubiKey 2FA to my safe combination this would cause the YubiKey LED to begin flashing endlessly while giving me the error 'No response from YubiKey'. Whenever I attempted to test HMAC-SHA1 Challenge-Response within Personalization Tool it would give me a response but the following would occur:

1) The YubiKey LED began blinking endlessly.
2) It changed the firmware version to something like 14.244.194 within the Personalization Tool each time I attempt to get a response and 'Unknown firmware' would display where it usually states 'YubiKey is inserted'.
3) It alternated between saying 'Slot 1 configured' and 'Slot 2 configured' under 'Programming status' each time I attempted to get a response.

Yubico Support were very helpful. They RMA's the device immediately, which I returned to them for testing, and provided me with a code for a free replacement. I subsequently received a follow up email from Alvin at Yubico Support stating:

Quote:
We can confirm the endless blinking - it seems this might be related to a fault in our firmware. Our engineers are taking a closer look at it now...As for the codes you see, they are manifested as part of the Yubico OTP credential which is preprogrammed into the first slot of your YubiKey.

Two weeks later I received a second NEO only to discover that it too suffered from the exact same behavior. After contacting Yubico Support again to report this issue I received the following reply:

Quote:
Thank you for contacting Yubico Support. We apologize for the inconvenience. After some additional testing, our QA team has determined that the 3.3 firmware NEOs aren't working with Password Safe. The HMAC-SHA1 Challenge Response works on instances where user input is not required (Windows Login Tool), but not when user input is required. All previous versions of the firmware supported user input, and we'll get this fixed for the next firmware release. I've initiated a refund with our Orders department. They will contact you shortly. Please feel free to keep the device due to the inconvenience this has caused you.

Since YubiKey firmware upgrades are not offered for security reasons this issue will permanently effect all NEOs with 3.3 firmware, as confirmed in an further email I received from Yubico Support:

Quote:
HMAC-SHA1 Challenge Response that is configured to require user input will not work on Firmware 3.3 NEO devices.

I am very happy with the support I've received from Yubico. I've received a free YubiKey NEO that works in every circumstance but the above mentioned one. I'm lucky that the NEO is such a great piece of hardware with plenty of uses, so it's definitely going to still see a lot of use. I'm currently using it for 2FA on my Android device with Yubico Authenticator and I will likely purchase a NANO for use with Password Safe on my desktop with another NEO for my phone once new firmware has been released.

I was surprised that I couldn't find this issue reported anywhere. Is there a 'Known Issues' thread that I've missed?


Edited to add [BUG] to subject line as per forum guidelines.

Author:  michaelk [ Mon Nov 03, 2014 4:04 am ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

thanks for posting-

I have an older neo that works with password safe fine.

I just but two new ones for U2F and they just dont play nice with password safe. I mentioned it in another thread here but there was no response. I guess i need to contact support to see what they say...

Author:  mattsvensson [ Wed Nov 26, 2014 10:34 pm ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

Thanks! I was having the same problem and wondered why the firmware was showing up like that. I changed mine from button press to no button press and it fixed that issue.

Though, the Logon Administrator is still not seeing the key as being configured. Not sure if it is another 3.3 bug.

Author:  Tom [ Thu Nov 27, 2014 2:28 pm ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

contact password safe, they should have an updated release of their software

Author:  FS1 [ Tue Feb 10, 2015 8:37 pm ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

Hmm, I didn't get it yet :)

Is there a bug in Fw 3.3 of the Neo that affects usage with PasswordSafe or not?

From the initial post it sounds like a bug in the firmware but later it sounds like an issue in PasswordSafe. Or did the PasswordSafe-guys integrate a workaround for a bug. I'm somewhat confused :)

Author:  Tom2 [ Fri Feb 13, 2015 2:44 pm ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

Both of them.

If you have one of the few Yubikeys with the firmware bug, please submit a warranty replacement at yubi.co/support.

If you have the old version of password safe please get the new one.

Author:  FS1 [ Sun Feb 15, 2015 11:56 pm ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

I don't have one yet, but does this mean it's better to wait for 3.4 firmware or is it already fixed in 3.3 and how could I be sure not to buy a 3.3-neo that is affected when the firmware version is the same?

Author:  Tom2 [ Tue Feb 17, 2015 10:39 am ]
Post subject:  Re: [BUG] HMAC-SHA1 Challenge-Response with 3.3 NEOs

Yubikeys sold now, are not affected by that bug anymore.

3.3.4 2014-11-21

* fixes challenge-response with button

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/