Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:58 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Jun 14, 2008 2:02 pm 
Offline

Joined: Mon Jun 09, 2008 8:37 pm
Posts: 9
Has anyone else noticed that when testing the webclients (so far for md the PHP and C ones) - that you can supply any user ID number - not just the one genned for your key.

For instance when testing the C client - I can run the supplied compiled C program with the following:

YubicoClient 125 (press Yubikey here) - and it will reply with a pass.
----------------------------
* OTP verified OK
* Last response: t=2008-06-15T20:14:22Z0438
status=OK
----------------------------

You can do this with any number - as long as the web api has genned it online.

Am I mistaken - or should it only work for my individual key?
(IE - I have to use 139 - because my key was genned with the "online API key generator" and it displayed 139)

thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Jun 14, 2008 11:29 pm 
Offline

Joined: Mon Jun 09, 2008 12:54 pm
Posts: 13
Location: Pennsylvania, U.S.A.
The unchanging user ID number is only used as a convenient way to identify a Yubikey without having to know the private ID or the AES key. You could, for example, use it to look up the AES key in a database, and then decode the rest of the one-time-password. Then, using the database again, you could check the OTP's private ID with the one you stored in the database.

If someone were to spoof your public user ID, they still wouldn't know the correct private ID or AES key.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 16, 2008 12:00 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
You are right that you can use any existing client id -- however, to verify the signature, you'll need the secret HMAC key that only the "real" client id holder would know.

/Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group