Yubico Forum
https://forum.yubico.com/

Challenge-response mode - FAQ
https://forum.yubico.com/viewtopic.php?f=4&t=632
Page 1 of 1

Author:  Jakob [ Fri Feb 04, 2011 12:29 am ]
Post subject:  Challenge-response mode - FAQ

We've got quite a few questions regarding the challenge-response mode which was introduced with Yubikey firmware 2.2. This gives a clue that our documentation on this subject is not up to what it should be. We'll see what we can do in this matter.

What is it for ?
We also call this "unattended mode" or "dongle mode". With challenge-response mode, you can programmatically send a challenge to the Yubikey and then programmatically read a response from it. This allows a client application to interact with the Yubikey without user interaction and also allow for a background continous check if a token is present. This is useful in software- or service licensing settings among others.

How does it work technically ?
It works by the means that a client application sends out a challenge or a nonce. This challenge is cryptographically processed by the Yubikey and a response is sent back as a result fo this challenge.

Okay, what "cryptographic process" is this ?
It can be selected as either Yubico OTP compatible mode or HMAC-SHA1.

How does the Yubico OTP compatible mode work ?
A 6 byte challenge is sent to the Yubikey, which is exclusive-ORed with the current private ID. The Yubico OTP algorithm is then executed and the response being sent back is the 128-bit OTP.

How does the HMAC-SHA1 mode work ?
It takes a challenge block of 1-64 bytes and calculates a HMAC-SHA1 on this using the 160-bit secret stored in the Yubikey. The resulting 160-bit hash is sent back as a response.

Why implement both algorithms ? Is one better than the other ?
Depending on the setting, both have different benefits. The Yubico OTP generates a unique OTP even if the challenge vaires as the counters and random field is generate internally in the Yubikey. The HMAC-SHA1 operation by nature generates the same response every time for a given challenge. Software applications that repeatlvely verifies the presence of the Yubikey should use the HMAC-SHA1 operation with a counter or a random number as challenge as this gives unlimited usage time. With the Yubico OTP algorithm, there is a chance that a programmatic application could cause the counters to wrap, which is not practically possible in normal OTP usage.

This means that an application can "sneak in" and exhcnage data with the the Yubikey without me noticing it ?
Yes. If the setting finds it more appropriate, there is a configurable option to require a button confirmation in order for the response to be sent.

Can I use this feature together with normal Yubico OTP or OATH-HOTP ?Yes - this is configured on a per-configuration basis. Normal setting when enabled is to use configuration #1 for a standard button generated OTP and configuration #2 for challenge-response.

I don't want this stuff - can I turn this off ?
It is off by default. You configure it to be enabled if you want this feature.

Does this means that the Yubikey 2.2 now requires a driver to work ?
No - the client needs the driver only if the challenge-response mode is used.

You say "driver" - does this mean that I need to install a low-level driver, i.e WDM/ring 0 driver?
It's a user-mode interface shim that communicates with the HID stack. No privilegied driver install is therefore needed.

Ok, how can I try out this stuff before I make up my mind if this is useful ?
We have a Windows COM/ActiveX-component that is provided with some programming examples and a test containter.
Download installer at http://static.yubico.com/var/uploads/fi ... taller.msi
Separate documentation can be downloaded at http://static.yubico.com/var/uploads/pd ... %20API.pdf

No version for Linux ?
We have a Python library in the making which will be anounced shortly.

How is this supported on the server side ?
We have provided a server API library that can be used in conjunction with the client API. This library contains some other useful functions for OTP validation.
Download installer at http://static.yubico.com/var/uploads/fi ... taller.msi
Separate documentation can be downloaded at http://static.yubico.com/var/uploads/pd ... %20API.pdf


With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

Author:  Redhatter [ Wed Feb 16, 2011 1:29 pm ]
Post subject:  Re: Challenge-response mode - FAQ

Another question for the list... Is there some documentation that describes how to trigger the challenge-response mode of the key?

It's reassuring that a Python example is upcoming, but it'd be nice to be able to have a stab at implementing it myself in the meantime as a learning exercise. My intent is to extend or create a PAM module that can make use of the key without needing a second password field. And no, a Windows-only library won't do when three of the computers I intend to run it on physically can't run Windows (due to them being non-x86 RISC architecture).

So far though, loving these keys. It's not something I would have directly sought myself, but seeing as one pretty much landed in my lap (everyone who attended linux.conf.au this year was given one) I've been seeing what I can do with them.

Author:  Fredrik-at-Yubico [ Thu Feb 17, 2011 8:46 am ]
Post subject:  Re: Challenge-response mode - FAQ

The Python framework was announced in the yubico-devel Google group a couple of days ago :

http://groups.google.com/group/yubico-d ... 9c2686bb24

/Fredrik

Author:  Redhatter [ Fri Feb 18, 2011 2:55 pm ]
Post subject:  Re: Challenge-response mode - FAQ

Ahh coolness, much appreciated. :-)

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/