IMO the personalization tool is very hard to understand since it exposes all kinds of very technical details about the key without explaining them or talking about what combinations you can use them in.
There are a lot of details, too, about how the yubikey does static passwords that are very non-intuitive to casual users.
Therefore, here is my solution. A script for everyone (on windows) to examine and use:
http://s3.collectivesoftware.com/statickey.wsf
Here is a copy of the instructions (also available inside the script source)
Code: StaticKey version 1.0
Copyright(c) 2009 Collective Software, LLC
Free to use for the yubikey community, in the hopes it will be useful.
A simple "static password" yubikey programmer for Windows Script host.
It produces a 64 character password, with 256 bits of true complexity.
You need to have the yubikcom.dll registered. This can be done by
installing the so called "personalization tool" from
http://www.yubico.com/developers/personalization/
Simple usage:
* Install the "personalization tool" (see above)
* Make sure you understand that you are deleting the old yubikey data!
* Plug in your yubikey
* Launch script
* Enter a 64 character hexadecimal string as can be found at:
https://www.grc.com/passwords.htm
* After the key is programmed, touch the green ring to see the static
password.
There are two things you should understand about what your static
passwords will look like:
1)
Yubikeys always talk in the language of "modhex" which is similar to
normal hexadecimal, except instead of:
0123 4567 89ab cdef
it uses the characters:
cbde fghi jkln rtuv
So no matter what you enter for the input, the output will always look
like modhex.
2)
The first 32 characters of the static password will be a simple modhex
transcription of the first 32 characters of your input string. BUT the
last 32 characters will be the result of an AES encryption operation.
They will be the same every time, because all the inputs to the AES
operation are the same (static). But they are not a literal copy of
your exact input characters.
For example, for the input string:
0000000000000000000000000000000000000000000000000000000000000000
the static password generated is:
ccccccccccccccccccccccccccccccccncejelrjvjvvciclerknrlihnteljrcb
You see the first half is all "c"s, which is modhex for "0". But the
last half is changed because of the AES. This is not a "feature" or
a "bug". The AES operation does not add or subtract any security in
this situation, since it produces the same static result each time.
It is just an artifact of the way yubico programmed their firmware.
Other details:
This programmer is completely deterministic and it does not add any
randomness or complexity to your password beyond the 64 characters you
enter. Entering the same value many times will produce identical static
password'ed keys (this is considered a feature). So it is IMPORTANT
to get a VERY RANDOM entry string so you will be as secure as possible.
Get your string from https://www.grc.com/passwords.htm or some other
source of strong randomness. Do not just type stuff from your keyboard.
If you want to remove the "enter" key from the end of the password entry
sequence, comment out the line:
yk.ykFlagProperty(5) = true;
by adding two slashes // in front of it.
If you want it to be a "tab" instead of an "enter", change the line to
yk.ykFlagProperty(2) = true;
|
I then downloaded it, although I did not know from which source, so I picked