Yubico Forum

We received this question in e-mail:



The answer is that with firmware 1.3.0 each particular yubikey can be programmed to work in either static OTP mode, or in "normal" OTP mode. The yubikey doesn't know which site you visit, and in particular whether it supports real OTPs or not, so you can't use the same yubikey for both static OTPs and for normal OTPs. You can however use two different yubikeys, one that is static and works against all pre-yubikey-ified sites, and one dynamic that works against sites that call out to a server.

If an authentication server knows the AES key in your yubikey, it will be able to decrypt even static OTPs. However, the plaintext fields will be fixed (0xFF) so a normal server would reply REPLAYED_OTP after the first use. Servers could detect that the OTP is a static one and return a special error code, but we haven't seen a need for this yet.

I hope this answers the question.

/Simon

can the mode be switched after it is initally programmed? (from OTP to random and back)

I am also wondering about this. Static OTP could be very useful in quite a few cases.

Please see here:

viewtopic.php?f=2&t=133&p=430#p430

Cheers

_________________
The YubiKey Server Guy

hi, i've been reading a bit about converting a 1.3 version key to STATIC passwd but my key is a version 1.1 key.

can i download a utility to upgrade my key? thanks in advance,

george

okay, i bought another key, a 1.3 firmware unit, and now have personalized it and changed the ykFlagProperty->ykFLAG_STATIC_TICKET per the instructions here: viewtopic.php?f=2&t=133&p=430#p430

i notice 2 changes in behavior for the yubikey. 1) the generated passwd is 32 chars instead of the original 44 and 2) the new static passwd doesn't have a CR appended to it (at least in my testing using notepad and textedit on my mac).

is this correct behavior? thanks in advance, george

A series of relevant questions - we should have provided more primers on how to configure Yubikeys using our Windows configuration API. I'll return in this matter in a separate thread later on, but just a few initial points:

Pro primo - Remember that using the configuration API destroys the pre-configured static ID and the AES key. After a programming operation, the key won't work against our authentication server any more.

Pro secundo - remember that the code provided with the configuration component is sample code only. The plan was to make the code as clean as possible in order to describe the concept rather than messing it down with lots of logic. We'll provide a more polished "production like" app soon.

Pro tertio - Don't be concerned that people will be able to sabotage Yubikeys using the configuration component. Keys used in a production environment are usually provided with the configuration lock set.

Pro quarto - Don't forget the YubiKey Integrators' Guide PDF provided together with the component describing the overall programming model.


Now, let's go over to the question itself

The configuration component works by the means of properties, which all are blank or false or by default. The default state can be restored with the ykClear method.

Calling ykProgram without setting any of the parameter "kills" the Yubikey and puts it into unconfigured state. This is indicated by the Yubikey LED flashing shortly every three seconds. Programming a valid configuration restores the LED to steady green.

The OTP part is 128 bits = 16 bytes = 32 modhex characters and that one is always sent. This means that if no static ID is set, only 32 characters will be sent. Our evaulation keys are programmed with a 6 byte static ID = 12 modhex characters. Together with the OTP, this equals 32 + 12 = 44 characters. The evaulation keys further have the ykFLAG_APPEND_CR flag set, which means that a trailing CR will be sent.

In order to configure a static OTP key with output in line with the evaulation keys, the following steps should be performed

ykClear
ykStaticID = "010203040506"
ykFlagProperty(ykFLAG_APPEND_CR) = True
ykFlagProperty(ykFLAG_STATIC_TICKET) = True
ykProgram

The Yubikey shall now yield a 44 character static OTP which is cbcdcecfcgchncejelrjvjvvciclerknrlihnteljrcb


Hope this sorts out the open questions

Regards,

JakobE
Hardware- and firmware guy @ Yubico