Ok, I have a working new program. I am verifying that the returned otp is the same as submitted, after a while of figuring out how to discern my Yubikey from any old successful "OK" result by checking the first 12 characters I have gotten it to validate me. Once the returned OTP is correct, the nonce is the same as submitted and the result is OK etc then it validates me as successful.
What can protect from someone setting up a localhost web server and just sending out a preset good looking result which has all the "right" bogus otp, nonce? Is there some simple hashing based thing I can do to check? I am not sure about the hashing. There is some basic hashing capability in AutoIt but I do not know the protocol of what gets hashed and with what algorithm. Is it a concatenation between multiple pieces of data being hashed? then in that case which goes first etc. I think that hash that is returned has got something to do with that API key I received, that is my theory. But I do not know how to make use of it.
|