Yubico Forum

Hello!

I have got two v2 keys, started to program one of them. I added a second profile - static password, and it works.

Then I overwrote 1st config with something I thought was very clever at that moment, and now I cannot get this key to work with anything - I tried Yubico demo OpenID server, Yubico forums, Clavid's server. I tried many combinations of public/private IDs, fixed/increment/random, different sizes - but I cannot get my key to be recognized. It does not return cccccc... now.

Thankfully, I kept my second key unchanged, and using it I was able to join this forum.

Please help me to reconfigure my key back to normal. What are the standard parameters?

Confused, lost,
Alex.

Please note that, by re-initializing your YubiKey (either by manually programming a new AES key in the YubiKey or programming the YubiKey for static PW), you will lose ALL abilities to use that particular YubiKey against Yubico online severs - validation server, YubiKey management service, Yubico forum, demo server, OpenID server and so on. You are advised to consider using separate YubiKeys for use in Static Password Mode or for development and testing purposes.

Does it mean I killed one of my keys? Can I reprogram it back to Yubico AES key? Isn't Yubico AES key built in the config utility?

How do I use your config utility to add config1 protection against reprogramming, let say, and not destroy that key's compatibility with Yubico servers? I don't see how.

Is it safe to add a second config (static PW) for my working key? Will config1 still work with Yubico servers?

Thanks,
Alex.

No, in as far as I can tell from what you posted here, your key is allright.


Yes you can, but either you need to create your own key and upload it to the Yubico server - see http://yubico.com/developers/aeskeys/ - or you need to retrieve the original AES key from Yubico. The latter may prove to be a bit difficult, as Yubico used to require 2 Yubikey generated OTP's + some proof of purchase of the key. There seems to be a better way now, please read viewtopic.php?f=5&t=108&p=503#p503

On my keys they fixed a little label, that contains a barcode and a number. They uniquely identify your key, so Yubico probably will be able to retrieve your secret. However, you need to prove your identity to them (CAcert?) perhaps you still have a proof of purchase, perhaps Yubico maintains records of which keys they shipped to whom. It all depends on their willingness to compromise security


No, it is not. The AES key is available to the party that programmed the key; for a default key that would be Yubico. If you program your own key, you are the only party that has the key.


I hadn' thought of it but yes, that's an interesting question: can you add password protection to a key WITHOUT reprogramming it? I dont' know, but perhaps one of the Yubico people can answer this?


Same anwer as to the last question..

Thanks, fortean! Looks like I've got a rocky start with Yubikeys...



Isn't it the same result in the end - my key will work with Yubico servers? If yes, I'd better upload my new key myself, the web page seems simple.

EDIT: Hm... Got "OTP prefix mismatch" error on that page... Not sure what to do now.

If you reprogram your key and want to register it with Yubico, you'll need to make sure the public identifier of your key starts with 0xFF. You can check if you did allright by pressing your reprogrammed Yubikey and check the FIRST 2 characters, they should be 'vv'.

THANKS! Got it all working again.

I've got everything worked about except I'm getting two errors. Identity must be 12 characters long (Internal Identity), where do I find this Identity or where do I set it in the personalization software. Also getting Identity in OTP does not match (OTP from the YubiKey), assuming this is because of the Internal Identity issue. Thanks for the help.

If you want to find out the secret identity of a Yubico default key, you'll need its AES secret. You remove the public identifier from the OTP (first 12 characters, which represent your 6 bytes public ID) and decode the remaining 32 characters (de-modhex them and run the resulting bytes through some AES-128 decoder). The first 6 bytes of the decoded string will be the secret ID.

If you have programmed your key yourself, you already know the secret ID

I am not capable enough to work with MS Windows, alas, so I'll manage with Linux. It has the ykpersonalize tool and you can use the
-ouid=..... option to program your secret id.

You can use the YubiKey Configuration Utility 2.00.1 to program the Internal Identity for the YubiKey. The "private identity" in the Configuration Utility is the Internal Identity for the YubiKey. The YubiKey Configuration Utility 2.00.1 and user guide can be downloaded from the following link:

http://www.yubico.com/developers/personalization/

We hope this helps!