Yubico Forum

I've been reviewing the validation server code, and was curious what the UID (also called SecretID), 6-byte field in the decrypted OTP is intended to be used for?

The Validation Server logic does not seem to use it for validation.

Is this something that is unique to each yubikey? Should we store it in our database and use it for yet another validation test, checking to make sure the values match?

Thanks!

The intended usage is when a collection Yubikeys share the same AES key.

Assume a case where the public id (fixed part) is set to zero bytes. The OTP is then 128 bits = 32 modhex characters. The server decrypts all keys in the collection using the same AES key and uses the private id (uid) to determine the user's id.

If not used in this context, such as how the Yubico authentication server setting works, the private id (uid) is typically set to a random string. Although not needed, the server application can verify this number.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

Thanks Jacob.

We've decided to use the internal UID as an extra authentication check.

Never thought to use common AES keys....probably more security risk that way, since getting your hands on the key then lets you crack multiple hardware keys, but an interesting idea nonetheless.