Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:46 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Thu Jul 30, 2015 5:42 pm 
Offline

Joined: Thu Jul 30, 2015 5:05 pm
Posts: 1
I created a github issue, hopefully in the right repo, here is a link: https://github.com/Yubico/yubikey-perso ... /issues/53

Here is a copy for those that want to stay on the forum:

OS: Windows 10 x64 (build 10240)
APP: YubiKey Personalization Tool
  • application version: 3.1.20
  • library version: 1.17.0
YubiKey: Neo FW 3.4.3

When generating a static password on slot 2 with Scan Code, if the password ends in a capital letter, when using the YubiKey to generate slot 2 input, for some reason my keyboard is "Stuck" with shift. Every letter I manually type after that is capital. I was able to kick this "lock" by hitting my left shift key 5 times to prompt the sticky key window and clicking no.

Here is a video: http://youtu.be/Y28X8yA2E2U

P.S. this isn't an issue if I do Advanced instead of Scan Code. My issue with advanced is that the password it generates usually only has 2 Uppercase characters and only about 2 or so numbers and the rest is all lowercase letters and they look very similar.

Example with using Advanced: 31GUniglknrihhjbbjiclurlvrhhdrih
That password is pitiful.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Aug 07, 2015 5:28 pm 
Offline

Joined: Wed May 09, 2012 9:35 pm
Posts: 45
I have the exact same issue.

Do you think it's actually an issue from the Personalization tool or from the Yubikey firmware?

My NEO's firmware is 3.4.2. I'm on Windows 8.1 Pro MCE x64 with tool 3.1.20.

Also, I have another Yubikey NEO firmware 3.1.2 and it does not cause this problem.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 22, 2015 4:30 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
We'll have to look into the shift issue, I haven't heard of it before.

Regarding the "pitiful" password, here's an explanation:

The non-scancode mode uses modhex characters (these are the same ones used in our YubiKey OTPs), which offer the benefit of working on a vast number of different keyboard layouts. This means that you can use a YubiKey with a modhex static password set on different computers that have different keyboard layouts set, and still get the same password. Some small tweaks are done to ensure that there are uppercase values as well as digits in the password, which is required for some applications. How secure is this? Let's do the math:

There are 32 characters in the password. The modifications to some characters to get uppercase and digits aside, there are 16 possible characters in each position. 16 = 2^4, which means that each character gives us 4 bits of entropy. With 32 characters, that's a total of 32*4 = 128 bits of entropy. That's 340282366920938463463374607431768211456 possible combinations. An attacker would have to try half of those, on average, to guess the correct one. If we assume that an attacker is capable of trying 1,000,000,000 passwords each second, it would take somewhere around 5395141535403007094485 years to crack it.


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 27, 2015 3:41 pm 
Offline

Joined: Wed May 09, 2012 9:35 pm
Posts: 45
Thanks Dain for looking into it.

If I wasn't depending on the key for code signing, it would have been RMA'd already. It's really annoying.


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 13, 2015 12:21 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
We've looked at the issue and have narrowed down the bug. Please follow (and post to) this Github issue for updates to this:

https://github.com/Yubico/yubikey-perso ... /issues/53

EDIT: We're making progress now, updated this post to reflect that.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group