Yubico Forum
https://forum.yubico.com/

OTOH and Challenge Response Clarification
https://forum.yubico.com/viewtopic.php?f=26&t=1788
Page 1 of 1

Author:  dharrigan [ Sun Mar 15, 2015 4:10 pm ]
Post subject:  OTOH and Challenge Response Clarification

Hi,

If I understand it correctly, the Yubico Authenticator sends the current time to the Yubikey Neo (I have fw version 3.3.0) as a challenge response and gets back a response which is then used to generate the digits.

My question is this, when I plug my Yubikey into the Personalization Tool, and click on Tools/Challenge-Response Tester, and choose either slot 1 or slot 2, I get this error:

"Challenge response could not be performed. Perhaps they YubiKey is not configured for challenge-response?"

So, how does the Yubico Authenticator get my YubiKey to honour a challenge-response request? I'm obviously missing something in my understanding! :-)

btw, I'm successfully using the Yubico Authenticator and is working as expected.

Thank you.

-=david=-

Author:  Tom2 [ Mon Mar 16, 2015 9:59 am ]
Post subject:  Re: OTOH and Challenge Response Clarification

I am not sure I understand your question.


OATH (TOTP HOTP) they have nothing to do with the HMAC-SHA1.

The OATH applet on your NEO will be fed with time from your OS and spit out TOTP codes.

The Challenge Response works in a different way over HID not CCID. An example of CR is KeeChallenge for KeePass where the Yubikey secret is used as part of the key derivation function.
Another application using CR is the Windows logon tool

The Yubico Authenticator does not use CR in any way.

Author:  dharrigan [ Mon Mar 16, 2015 10:47 am ]
Post subject:  Re: OTOH and Challenge Response Clarification

Hi,

Thank you for your reply. I got the information directly from the website, referenced here:

https://www.yubico.com/applications/int ... ces/gmail/

and to quote:

Quote:
Therefore, to create a TOTP response using the YubiKey, Yubico has developed a small application which sends the current time to the YubiKey set-up for HMAC-SHA1 challenge/response. The application sends the current time in the OATH-TOTP format and receives back the 160 bit HMAC-SHA1 hash. This is then processed as per the OATH-TOTP spec to produce either a 6 or 8 digit number.


It alludes that CR is used (specifically HMAC-SHA1).

I've probably misunderstood the information presented, but that's how it reads.

-=david=-

Author:  Tom2 [ Mon Mar 16, 2015 11:05 am ]
Post subject:  Re: OTOH and Challenge Response Clarification

Hi,

If you are using the Yubico Authenticator you are not using that TOTP helper app, rather the OATH applet on the Yubikey NEO

You are right that the webpage is misleading we will fix it.

Author:  dharrigan [ Mon Mar 16, 2015 11:56 am ]
Post subject:  Re: OTOH and Challenge Response Clarification

Hi,

Thank you for the clarification :-)

-=david=-

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/