Yubico Forum
https://forum.yubico.com/

[Solved] PIV access interrupted during mgm-key reset
https://forum.yubico.com/viewtopic.php?f=26&t=1649
Page 1 of 1

Author:  asym [ Fri Dec 05, 2014 1:31 am ]
Post subject:  [Solved] PIV access interrupted during mgm-key reset

I have a VM set up for provisioning Yubikey NEO-n that are all in CCID-only mode (-m81:15:60). During the provisioning process, the token was removed from the VM (logically) due to the timeout previously specified by ykpersonalize auto-eject timer of 60 seconds.

The issue is that the final command executed was

yubico-piv-tool -v -a set-mgm-key -k <keyvalue>

which outputted its success message, but seems to have not completely committed the key change. The result is that the default 010203... key as well as the key specified in the command both result in "Failed authentication with the applet." At this point, no privileged operation can be performed (verifying pin, changing puk, resetting applet) since the management keys supplied appear not to match that expected by the token.

My question is: is my token hosed? Is there a method to hard reset the token? I don't care about the content of it at this point, just the reuse of the hardware.

Author:  darco [ Fri Dec 05, 2014 8:58 pm ]
Post subject:  Re: [Question] PIV access interrupted during mgm-key reset

EDIT: Argh, I should read better...

Did you try locking up the applet by using bogus pins first before trying a reset?

Code:
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a reset


Not sure if the reset command requires the management key or not.

Author:  asym [ Sat Dec 06, 2014 2:10 am ]
Post subject:  Re: [Question] PIV access interrupted during mgm-key reset

Yeah, the yubico-piv-tool implicitly invokes the default management key if none is provided. You'll get a feel for just how many operations require the symmetric key once you change it and try to manage the token after the fact.

After tinkering with the token some more, it appears completely locked out of the CCID mode since it can't authenticate with the applet. The reset instructions from the manual all direct the user to lock the PIN/PUK, which I can't even get to. All other modes work as intended, and I can even still manage CCID reader timeouts, but unfortunately, I'm still stuck trying to recover the use of the hardware itself.

As an aside, if people are recovering from this just using the documented PIN/PUK blocking, it sounds like they're not even resetting the management key from the published default value, which is more than a little alarming if they're using them in security-relevant applications.

Author:  Tom [ Mon Dec 08, 2014 11:04 am ]
Post subject:  Re: [Question] PIV access interrupted during mgm-key reset

Hello,

Asym, good post. Please use the latest-version of the PIV-TOOLS https://developers.yubico.com/yubico-piv-tool/ the problem you described should be fixed.

Let me know the outcome please.

Tom.

Author:  asym [ Mon Dec 08, 2014 8:26 pm ]
Post subject:  Re: [Question] PIV access interrupted during mgm-key reset

Running version 0.1.2 of yubico-piv-tool did the trick. If I were to venture a guess, it appears that the verify-pin and change-puk operations were modified not to require the passing of the management key since all attempts to validate the key (default or my supposedly newly installed one) for other privileged operations still failed. This let me block the PIN and PUK and successfully reset the applet. Thanks for the expedient resolution.

Any word on the turnaround window between version updates for this tool and its updated formula on homebrew by any chance?

Also, verbose mode for verify-pin now outputs twice to CLI, but change-puk seems fine :)

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/