Yubico Forum

Hi,

I have just received my Yubikeys and am struggling with the static password. I want to use the OTP but have to wait for my password manager 1Password to become compliant.
I am on a Mac and have the Leveldown software to program the 2nd config slot. When I use a key phrase to generate an AES key then it gives me a random hex string. When I use the YK to enter the text into a texteditor it only gives me a 32 character string.
1) How do I get it to give me a longer string?
2) I have enabled upper and lower case characters as well as mixing other characters but I always get the few digits and uppercase chars at the beginning and the rest lower case (eg 6V3Jjldgrbgjdfndgekvgkdvvdvlugvn) is there a flaw in the key creation?
3) When I copy the Hex key from the bottom of the config utility and paste it into an online Hex converter it does not give me the same Asci string as the YK does. What am I missing.
4) If I want to manually enter a really huge string as my static password how do I go about this. If I choose the option to enter AES key myself then it never lets me enter anything.

I am rather afraid to change my 1password master password to a yubikey static password without understanding this.

Kev

Please find the answers to your questions as follows:

1) How do I get it to give me a longer string?

Answer: Using the MAC Personalization tool, you can reprogram your YubiKey to emit up to 48 characters static password. Whenever the YubiKey button is pressed, it generate 32 character OTP based on various parameters. For more information about OTP generation, please visit the following link:

http://www.yubico.com/files/Security_Ev ... -09-09.pdf

While emitting, a static public ID is attached at the beginning of the OTP resulting in the OTP string containing 32 characters OTP + static public ID.

If YubiKey is reprogrammed in static password mode, the 32 characters OTP is always remains same. The total number of characters emitted by the YubiKey is then depends on the length of the static public ID. If YubiKey is reprogrammed with no public ID, it will emit 32 characters password. If YubiKey is reprogrammed with public ID of 4 characters, it will emit 36 characters password and so on.

The MAC personalization tool allows maximum 16 characters public ID, hence a YubiKey configured with MAC personalization tool can emit up to maximum of 48 characters static password.

2) I have enabled upper and lower case characters as well as mixing other characters but I always get the few digits and uppercase chars at the beginning and the rest lower case (eg 6V3Jjldgrbgjdfndgekvgkdvvdvlugvn) is there a flaw in the key creation?

Answer: The YubiKey is designed to emit the upper and lower case characters for the first few characters of the OTP. For more information, please refer to section "5.4 Specify output parameters" of YubiKey Configuration Manual available for download from the following link:

http://www.yubico.com/files/YubiKey_Con ... -12-03.pdf

3) When I copy the Hex key from the bottom of the config utility and paste it into an online Hex converter it does not give me the same Asci string as the YK does. What am I missing.

Answer: Please note that the OTP emitted form the YubiKey is in the form of Mod-Hex characters. Mod-Hex character encoding is designed by Yubico to allow the YubiKey to be used with different Keyboard layouts.

The Hex key displayed at the bottom of the MAC personalization tool is the AES Key used for reprogramming the YubiKey. Please note that the OTP generated as a result of an encryption function involving the AES key and YubiKey parameters and the OTP is in Mod-Hex characters while AES Key is in hex encoded characters, hence they will not match.

4) If I want to manually enter a really huge string as my static password how do I go about this. If I choose the option to enter AES key myself then it never lets me enter anything.

Answer: The MAC personalization tool does not provide this feature. However, the Windows based YubiKey configuration utility provides a feature called "scan code mode" where you can reprogram the YubiKey to emit your own password of up to 16 characters.

We hope this helps!

You may want to check out LastPass, it is already YubiKey OTP compliant, Mac compatible, and will import your 1Password data. I use my YubiKey OTP first slot for LastPass and my second, static slot for offline logins of things like TruCrypt, in conjunction with a memorized password.

@Samir
Thanks very much for the explanation - it makes better sense now (interestingly when I do add a public ID it adds a string of c's to the first half of the generated key)
Thanks also for explaining about the hex algorithm
It is a shame that the Mac tool is less accomplished than the windows tool - hopefully yubico will do something about this soon.

Why does the scan code mode only allow a 16 character password and not the full 32, or 48 or whatever?
Will the Mac version enable this soon?

@Bryan53
Thanks for the heads up about lastpass. I was aware of it but all the screenshots are on Windows and I would really like a proper Cocoa based mac app! I also really like 1Password and the developers so want to keep on supporting them.

Thanks for your help

Leveldown, an IT-company based in Germany, was kind enough to develop the YubiKey configuration tool for Mac OS X (>10.5) and provide it as a free software to Yubico community.

Updating the personalization tools on various platforms is on Yubico's road map. However, currently we're focusing our resources on developing the YubiKey and the mainstream eco-system.