Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:54 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Logic of yubikey
PostPosted: Tue Feb 07, 2012 8:33 pm 
Offline

Joined: Tue Feb 07, 2012 8:15 pm
Posts: 2
Dear Sir or Madam,

i am very new on yubikey, and i am not sure if i have understand the concept of yubikey correctly.
- At first of all i have create an API-Key with my yubikey
- After this, i upload my yubikey config to the yubikey-cloudserver

Now my simple questions:
1. What is the function of the client and secret key?
If i use the demos with my key there are default client id und default secret key, and this works with my yubikey
If i understand it correctly this client id and secret key is for authenticate the application, isn't it? So if i use wrong informations here the yubikey server do not accept the request?
2. If i use the yubicloud for authentification, the yubikey have to register at this cloud, otherwise i use a own yubikey-server?
So every user which want to use the yubikey (web-application) have to register the key at the cloud.

I know there are a lot of questions in this post, but i hope this questions are easy for all yubikey professionals and no one are angry with me and my stupid questions.

Kind regards.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Logic of yubikey
PostPosted: Wed Feb 08, 2012 3:29 am 
Offline

Joined: Sat Jan 14, 2012 3:05 am
Posts: 7
The YubiKey's ship with a key already active with the Yubico authentication servers (YubiCloud). When accessing a site/service that authenticates against the YubiCloud, all you need to do is register your Yubikey to your account. For example, the built in key can be used successfully with the Yubico site/forum, LastPass, Passpack (I believe) and other services w/o having to do any personalizing to the YubiKey. If you personalize with a OTP, you can register this with the YubiCloud (or alternate authentication service).

Question #1: I am not sure what you are referring to by "client" -- if you are referring to the public identity -- this allows services to link your YubiKey to an account (without knowing the encrypted part of the key). The secret key is another method for the authentication server to validate that the key is valid.

For an authentication attempt to be valid (using the standard OTP), the public ID needs to match (to be associated with a given account), the encrypted portion needs to successfully decrypt and validate (CRC16 bit), the session/counter IDs must be higher than a previous authentication attempt and the secret key needs to match. Assuming all of this validates, the authentication server will return that it was a valid request.

Question #2: To use the default key as shipped, you will need to validate against the YubiCloud service. You can change this to your own OTP key (or add a second one using slot 2) via the personalization tool. If you add your own key, it would be possible to upload the credential information to one or more authenication servers.


Top
 Profile  
Reply with quote  
 Post subject: Re: Logic of yubikey
PostPosted: Wed Feb 08, 2012 9:20 am 
Offline

Joined: Tue Feb 07, 2012 8:15 pm
Posts: 2
Thank you for your answer,

i will create the following scenario.
Our webapplication have to use the yubikey for authentification (OTP), so we will buy some yubikeys an give them to our customers.
Every yubikey for our authentivication have to registered at your cloud.
For the login i have to use only one client ID and secret key for all yubikeys?

Thanks a lot for your answer.


Top
 Profile  
Reply with quote  
 Post subject: Re: Logic of yubikey
PostPosted: Thu Feb 09, 2012 2:16 pm 
Offline

Joined: Sat Jan 14, 2012 3:05 am
Posts: 7
Each Yubikey would be unique. Your web application would associate the public ID of each yubikey (the first 12 characters of the OTP string) to the users account and then submit the entire string to the YubiCloud to know if it is valid. There would be no reason to reprogram the individual YubiKeys in this instance.

Check out the Development Guidelines (http://www.yubico.com/development-guidelines) documentation (as well as the existing API/auth modules) for direction on how this gets implimented in your web app.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group