Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:41 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri May 08, 2009 6:19 pm 
Offline

Joined: Thu May 07, 2009 12:11 am
Posts: 3
A couple of weeks ago I "bricked" my Yubikey by trying to change it's mode to static password mode. It was an old, pre "September 08" key, which did not support this feature.

I tried to post to this forum via forum@yubico.com in order to ask for help, but Yubico came back to me and they sent me a new key which arrived this week.

So now I'm able to log into YMS, where I can see the two keys which I have. I was able to retrieve the TokenID and AES Secret Key of the bricked key, and I used the YKConfigTest.exe MFC Application of the v1.3.16 SDK to input them into the old key.

Now the bricked key is ouputting the same TokenID it used to output before I bricked it, which feels quite good, but no matter what, I'm still unable to validate agains the Yubico servers.

I resetted the counter on the YMS for that key to 0, to see if that would change the situation, but to no avail.

I've also tried to use the "Add New Yubikeys" section and insert a randomly generated tokenID and AES Secret, but there I do only get a "Enter the Yubikey token ID or OTP" warning when submitting the data. I'd like to know how I could use that section in the context of my current problem and why I'm getting that warning.

Any help in allowing my key to validate against Yubico servers is highly appreciated.

Thanks in advance,
Daniel


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun May 10, 2009 10:10 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
I learned of this issue the hard way as well. Fortunately, I had a few outputted tokens from my email requests for the aes secret, before they implemented yms.

As it turns out, they have now begun validating the originally programmed secret ID in the keys, and if it doesn't match, you get a "Back End" error. If you have recorded at least one token from back before you first programmed your yubikey that is now bricked, you will need to decrypt that token to extract the secret ID from it.

Also, the MFC build of the yubikey programming tool does not allow you to reprogram your secret ID. Use the VB version instead. For that version, ykCurPWD and ykNewPWD should be set to your current password, if you intend to set one, or left blank if you haven't set one. ykStaticID is the public ID you retrieved from yms. ykUID is the field that they have begun validating, and is what you need to extract from one of the originally issued tokens prior to the bricked key's first programming. ykKey is the aes key from yms.

ykProperty flags, select each one from the drop down box. Factory default of each flag is false, except for yk_FLAG_APPEND_CR. THis means select each yk_FLAG, click the false radio button, then click ykFlagProperty button, for each flag. (other than yk_FLAG_APPEND_CR, where you want to click the true radio button instead.)

Once everthing has been set, click ykProgram.

Hopefully someone will implement changing the secret ID, in yms, or at the least allow that value to be retrieved along with the aes key and public id, or allow the user to disable validation of that value, on a case by case basis from within yms.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 16, 2009 8:55 pm 
Offline

Joined: Thu May 07, 2009 12:11 am
Posts: 3
Thanks caitsith6502.

I'm a bit confused. So you say that in addition to the data provided by Yubico in the yms - the "TokenID" (ykStaticID = device static identity) and the "AES Secret Key" (ykKey = device AES key) -, I need an additional, which is the ykUID (device UID)? If that's needed, why wouldn't Yubico provide that data in the yms?

I have 3 valid tokens from the time before I bricked the key, so I should be able to decode the ykUID. I just haven't got a clue on how to do this. Is there a tool avaliable? I found nothing in the forum. Any help would be greatly appreciated.

And yes, when I try to log into the OpenID service I get a "Authentication failure: BACKEND_ERROR" error.

Kind regards,
Daniel


Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2009 11:06 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
The "libyubikey" project provides a command line utility called "ykdebug" which can be used for parsing the OTP and to get all the counters and parameter values.

For more information, please visit the following link:

http://code.google.com/p/yubico-c/


Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2009 12:08 pm 
Offline

Joined: Thu May 07, 2009 12:11 am
Posts: 3
Thanks a lot to both of you. It worked :)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group