Yubico Forum
https://forum.yubico.com/

When will yubikey become a brick? locking myself out?
https://forum.yubico.com/viewtopic.php?f=4&t=547		 Page 1 of 1
Author:  tdlk [ Fri Jun 25, 2010 1:01 pm ]
Post subject:  When will yubikey become a brick? locking myself out?
I'm using my yubikey for openid and keygenius =) love it.

Now I have some questions:

1) How many power-ups do I have? (non-volatile counter)

2) Is it reset when a new AES/OTP config is programmed?

3) Do the session/global counters wrap-around eventually?

4) How many OTPs can I generate per power-up (e.g. 48h coding session =) )?

5) Chicken & Egg problems: is it possible to use yubikey OTP for pam logins into Gnome Desktop? Encrypted home partition? How to solve this if pam is used to unlock gnome-keyring, gnome-keyring stores WiFi passwords, and WiFi is needed to connect to yubico server to authenticate pam? Also what about using pam to access gpg keys and encrypted home? any suggestions. Or shall I use static passwords for this?

Thanks =)
Author:  Jakob [ Sat Jul 03, 2010 11:38 pm ]
Post subject:  Re: When will yubikey become a brick? locking myself out?
tdlk wrote:
I'm using my yubikey for openid and keygenius =) love it.

Always nice to hear :)

Quote:
Now I have some questions:

1) How many power-ups do I have? (non-volatile counter)

Hard to say. Assuming Yubico OTP mode, the Yubikey counts up the first time an OTP is generated after power up. Then the session counter counts up
The use counter is limted to 15 bits, which today seems a bit stupid, trying to stuff bits as tight as possible. But, assuming even five power-ups per day, 365 days per year it will still take 32768 / 5 / 365 = 18 years for the counter to get stuck. I strongly doubt that it will ever happen to any [normal] user...

In OATH-HOTP mode, the counter is 16-bits, thereby expanding to double that number. OTOH, in HOTP mode, the non-volatile counter counts up every time the Yubikey is used.

Quote:
2) Is it reset when a new AES/OTP config is programmed?

Yes. If the counter eventually would hit the wall, the key can always be re-configured. Then the counter is back at zero again.

Quote:
3) Do the session/global counters wrap-around eventually?
4) How many OTPs can I generate per power-up (e.g. 48h coding session =) )?

In Yubico OTP mode, the counter gets stuck at 32767. In HOTP mode, it wraps from 65535 -> 0.
The session counter is 8 bits wide, giving 256 counts per power up cycle. If this counter wraps, the use counter is incremented, thereby avoiding a clash.

Quote:
5) Chicken & Egg problems: is it possible to use yubikey OTP for pam logins into Gnome Desktop? Encrypted home partition? How to solve this if pam is used to unlock gnome-keyring, gnome-keyring stores WiFi passwords, and WiFi is needed to connect to yubico server to authenticate pam? Also what about using pam to access gpg keys and encrypted home? any suggestions. Or shall I use static passwords for this?

Seems like a static password would be best here. You can always use the second configuration for that.


Best regards,
JakobE
Hardware- and firmware guy @ Yubico
Author:  matthewbloch [ Thu Sep 08, 2011 12:09 pm ]
Post subject:  Re: When will yubikey become a brick? locking myself out?
Can I resurrect this thread to ask what happens to the timer after 24.47 days? Does it wrap, or get stuck? http://wiki.yubico.com/wiki/index.php/Yubikey says "the session is terminated and no more OTPs can be generated" but one of our customers kept getting OTPs after 25 days, just not that our server would validate. I've not got a log of the tokens generated, so can you fill me in on what to expect the timer value to show?
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/