Yubico Forum

A couple of weeks ago I "bricked" my Yubikey by trying to change it's mode to static password mode. It was an old, pre "September 08" key, which did not support this feature.

I tried to post to this forum via forum@yubico.com in order to ask for help, but Yubico came back to me and they sent me a new key which arrived this week.

So now I'm able to log into YMS, where I can see the two keys which I have. I was able to retrieve the TokenID and AES Secret Key of the bricked key, and I used the YKConfigTest.exe MFC Application of the v1.3.16 SDK to input them into the old key.

Now the bricked key is ouputting the same TokenID it used to output before I bricked it, which feels quite good, but no matter what, I'm still unable to validate agains the Yubico servers.

I resetted the counter on the YMS for that key to 0, to see if that would change the situation, but to no avail.

I've also tried to use the "Add New Yubikeys" section and insert a randomly generated tokenID and AES Secret, but there I do only get a "Enter the Yubikey token ID or OTP" warning when submitting the data. I'd like to know how I could use that section in the context of my current problem and why I'm getting that warning.

Any help in allowing my key to validate against Yubico servers is highly appreciated.

Thanks in advance,
Daniel

I learned of this issue the hard way as well. Fortunately, I had a few outputted tokens from my email requests for the aes secret, before they implemented yms.

As it turns out, they have now begun validating the originally programmed secret ID in the keys, and if it doesn't match, you get a "Back End" error. If you have recorded at least one token from back before you first programmed your yubikey that is now bricked, you will need to decrypt that token to extract the secret ID from it.

Also, the MFC build of the yubikey programming tool does not allow you to reprogram your secret ID. Use the VB version instead. For that version, ykCurPWD and ykNewPWD should be set to your current password, if you intend to set one, or left blank if you haven't set one. ykStaticID is the public ID you retrieved from yms. ykUID is the field that they have begun validating, and is what you need to extract from one of the originally issued tokens prior to the bricked key's first programming. ykKey is the aes key from yms.

ykProperty flags, select each one from the drop down box. Factory default of each flag is false, except for yk_FLAG_APPEND_CR. THis means select each yk_FLAG, click the false radio button, then click ykFlagProperty button, for each flag. (other than yk_FLAG_APPEND_CR, where you want to click the true radio button instead.)

Once everthing has been set, click ykProgram.

Hopefully someone will implement changing the secret ID, in yms, or at the least allow that value to be retrieved along with the aes key and public id, or allow the user to disable validation of that value, on a case by case basis from within yms.

Thanks caitsith6502.

I'm a bit confused. So you say that in addition to the data provided by Yubico in the yms - the "TokenID" (ykStaticID = device static identity) and the "AES Secret Key" (ykKey = device AES key) -, I need an additional, which is the ykUID (device UID)? If that's needed, why wouldn't Yubico provide that data in the yms?

I have 3 valid tokens from the time before I bricked the key, so I should be able to decode the ykUID. I just haven't got a clue on how to do this. Is there a tool avaliable? I found nothing in the forum. Any help would be greatly appreciated.

And yes, when I try to log into the OpenID service I get a "Authentication failure: BACKEND_ERROR" error.

Kind regards,
Daniel

The "libyubikey" project provides a command line utility called "ykdebug" which can be used for parsing the OTP and to get all the counters and parameter values.

For more information, please visit the following link:

http://code.google.com/p/yubico-c/

Thanks a lot to both of you. It worked