Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:21 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 15 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Aug 06, 2009 1:11 pm 
Offline

Joined: Thu Aug 06, 2009 1:05 pm
Posts: 4
Hi all,

I just received my second Yubikey this morning and I've hit a problem with the way in which I'm hoping to use them. Basically, I have fully encrypted our desktop and laptop at home using Truecrypt and a long 64 character password generated by the first Yubikey. What I'd like is for myself or my OH to be able to use either key to unlock either PC. Both PCs use the same 64 character password but I can't for the life of me figure out how to get the Yubikeys to emit the SAME 64 character password.

I had a search through the forums and what I've found so far isn't all that hopeful. Lots of people saying that I can't manually set a 64 character password on the key - is that true?

Is there any way to have the keys generate the same password? It doesn't matter what that password is as long as it is strong and preferably as long as possible!

I was wondering if I used the Yubikey config app with BOTH keys plugged into the PC, whether the same settings would be written to both or whether the application software would just pick one of them?

Does anybody have any suggestions about how I might get round this issue?

Cheers,

Mark.


Last edited by mtudor on Thu Aug 06, 2009 2:02 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Aug 06, 2009 1:15 pm 
Offline

Joined: Thu Aug 06, 2009 1:05 pm
Posts: 4
mtudor wrote:
I was wondering if I used the Yubikey config app with BOTH keys plugged into the PC, whether the same settings would be written to both or whether the application software would just pick one of them?


Damn. "There is more than one Yubikey present". Then nothing unless I unplug one of them!


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 06, 2009 1:24 pm 
Offline

Joined: Thu Aug 06, 2009 1:05 pm
Posts: 4
Looks like I can get them the same if I use "Scan ccode mode" but it's a maximum of 16 characters and I remember reading about the potential for problems with different keyboards in that mode. Not really ideal.

I've tried all I can think of for now. If anyone knows something I've missed then I'd appreciate some pointers! Thanks!

Mark.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 06, 2009 1:36 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We can configure two YubiKeys 2.0 to emit a same static password by programming them using the same Public ID, Private ID and AES Key.

Please follow the steps below to program the YubiKeys to emit the same static password:

    1) Select "Create a static YubiKey configuration (password mode)" from "Select task" screen and click on Next
    2) Select the "Advanced mode - Specify public + secret id and key"
    3) Note down the values used and program the YubiKey
    4) Remove, the first YubiKey 2.0 and insert the other and then program the YubiKey by following the step 1 & 2 and using the already noted values

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 06, 2009 2:01 pm 
Offline

Joined: Thu Aug 06, 2009 1:05 pm
Posts: 4
Fantastic!

That seems to work exactly as I'd want - I actually skipped the reentering stage by just replacing one yubikey with the other whilst the program is in RUN mode.

Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Fri May 14, 2010 9:14 am 
Offline

Joined: Fri May 14, 2010 9:07 am
Posts: 2
Hmmmm... I'm being dense here.

We are testing Yubikeys to be used in static password mode to unlock encrypted drives but obviously would like to be able to recreate a new key with same password if original is lost (obviously we have an encrypted database containing the static key).

How do I go about creating that duplicate key based on the info in this thread. I converted the original static modhex password into hex and put the first 16 bytes as a fixed value public identity, switched off the private identity (as that was only 6 bytes) and put the remaining 16 bytes as a fixed value shared secret. When I then program the new key the first 32 characters match the original but the last 32 are different??

What am I missing?

Thanks


Top
 Profile  
Reply with quote  
PostPosted: Mon May 17, 2010 10:29 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
In order to reprogram two YubiKeys to emit the same static password, you need to program both YubiKeys to static password mode using the same "Public Identity", "Private Identity" and "AES Key" and by selecting same options while programming both the YubiKeys.

Please note that the actual static password (of 32 or more characters) emitted from the YubiKey can not be used to reprogram the other YubiKey to emit the same static password as the actual static password is generated as a result of an encryption function involving the AES key and YubiKey parameters.

Hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 14, 2010 11:25 pm 
Offline
User avatar

Joined: Mon Jun 14, 2010 11:16 pm
Posts: 6
This is a lousy answer to this problem.

I have been using these instructions for a half hour trying to generate a decent static password and there is never enough entropy in the process. The highest rating I can get on a 64 character password is 157 bits and that was using seed data for the Public, Private and AES portions from 3 different runs of the GRC password generator while including the option to allow for upper and lower case password generation in the settings.

Meanwhile any time I evaluate the Hexadecimal 64 character password from GRC I constantly get between 120 and 130 bits and if I use the 63 random alpha-numeric characters (a-z, A-Z, 0-9) option I constantly get over 250 bits.

I would much rather use the 63 random alpha-numeric characters password generated by GRC than the lousy 157 bit 64 character password generated by the personalization program. I would say that Yubico needs to either allow us to set our own static password or at the very least improve the password generation algorithm in use for the static password generation in the personalization program.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 16, 2010 10:48 am 
Offline

Joined: Fri May 14, 2010 9:07 am
Posts: 2
Totally agree


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 16, 2010 12:50 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Okay, just let's back off a few meters here. The Yubikey is not itself a password generator and is not designed for static mode per se, it's just a practical add on. The static mode is more or less purely relying on its input at configuration time.

We use Modhex to make the passwords portable between different keyboard layouts. This effectively limits each character to just represent 16 different combinations rather than the "full range" of a keyboard. I assume a password strength checker would lower the rank of the static output due to the fact that only 16 characters are used.

We use CryptGenRandom in the Win32 API to generate random strings in the Windows configuration tool so the entropy is therefore a direct result of that output. When using "compatible output", i.e. a Yubico OTP like string, the private ID and encryption key are both generated with the same principle and are then encrypted using AES. That should not make things worse.A 32-character Modhex output gives theoretically 32 x 4 = 128 bits and 64 characters = 256 bits, given that CryptGenRandom is ideal and that the AES-128 operation does not change anything fundamentally.

It's as simple as that. I beleive that if the entropy is not good enough for your application, then CryptGenRandom is the problem

The scancode mode is currently limited to 16 character output maximum. We have been asked enough times now to increase that and we'll do it. There is a practical limit of 38 characters in the output and we'll aim for that.

Thanks for your input. Please let me know if you feel we've neglected something.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group