Yubico Forum
https://forum.yubico.com/

Getting my secret key for yubikeys.secret field
https://forum.yubico.com/viewtopic.php?f=5&t=487
Page 1 of 1

Author:  YuvalRon [ Mon Feb 22, 2010 3:09 pm ]
Post subject:  Getting my secret key for yubikeys.secret field

Hello

I'm currently trying to work with the wsapi validation server, i'm using the Java version with Tomcat 6 and MySQL.
I am working with the server setup tutorial at:
yubico-val-server/setup.htm

I have successfully built the schema and deployed the validation server to Tomcat.

However, in section 6 "Import Yubikey records into the database.", it says I should get the Device ID (successfully got it from ConvertModhex [OTP] ) and the secret key.
About providing the secret key, it says:
"The secret is requested from the privisioning party or from Yubico directly. It is b64-encoded. An example looks like 'jHFA3cWwEd.....xEo742R4=' "

So my questions are:
1. Who (or what) should I talk to in Yubico, to get my secret key? I can provide a valid OTP of course.
2. Just to make sure, is the secret key going to the secret field in yubikeys table in b64?
3. Is that key the actual AES key of my device?

Thanks,
Yuval

Author:  samir [ Tue Feb 23, 2010 10:18 am ]
Post subject:  Re: Getting my secret key for yubikeys.secret field

Please find answers to your questions as follows:

1. Who (or what) should I talk to in Yubico, to get my secret key? I can provide a valid OTP of course.

Answer:

In order to streamline the process for users who want to program their own AES keys in YubiKeys and still have a working key online we have changed the process of handling AES Keys at the online validation server.

At the high level you will no longer be able to copy or download the individual AES key from the YMS server. Instead if you need access to the AES key, you will have to use a YubiKey programming tool (YubiKey Configuration utility) to program your own AES key into a YubiKey and then upload the same AES key(s) to the server (to be used online) using the following link:

http://www.yubico.com/developers/aeskeys/

The step by step instructions for uploading the AES Key can be found at the following forum link:

viewtopic.php?f=2&t=402&p=1754

2. Just to make sure, is the secret key going to the secret field in yubikeys table in b64?

Answer:

The secret key aka AES Key will be stored in the "secret" field of "yubikeys" table in base64 format.

3. Is that key the actual AES key of my device?

Answer:

The secret key aka AES key stored in the "yubikeys" table is actually the AES Key of your YubiKey.

We hope this helps!

Author:  YuvalRon [ Tue Feb 23, 2010 5:18 pm ]
Post subject:  Re: Getting my secret key for yubikeys.secret field

Thanks Samir

I completed the AES generation successfully with YubikeyConfig 2.1 - but I still don't manage to validate my Yubikey on my local server.

I send the following:
http://localhost:8080/yubikey-server-j/verify?id=1&otp=<YUBIKEY_OTP>

But keep getting response:
t=2010-02-23T17:56:03Z0599
status=BAD_OTP
h=A16px0d0pV9IclCwjEGa8b4xnYg=


I uploaded the AES key with the other identity details to the Yubico server and tested it - the online Yubico server validates the OTPs fine - which makes me think I didn't put the correct data in my DB "yubikeys" table.

Here is what I put into the table:
id=1
client_id=1
active=1
created='2010-02-22 13:38:00'
accessed='2010-02-22 13:38:00'
tokenId=<the first 8 chars from the ConvertModhex.java Base64 output>
userId=1
secret=<the AES key -but I don't have it in base64>
counter=NULL
low=NULL
high=NULL

Looks like my AES key is in Hex because it is a string that has 32 0-9 and a-f digits.

I tried to convert it to Base64 by http://www.yubico.com/demo/Modhex_Calculator.php (btw it's linked to RADIUS.yubico.com... from http://www.yubico.com/developers/modhex/ which is broken) but appearantly the calculator doesn't work - the php script always throws an exception.
Other calculators converted to base64 but the converted string didn't respond correctly either - I still get BAD_OTP response.

Please help - what should be the values in each field (should counter, low and high be other than NULL?) and how do I convert my AES to Base64?

Thanks,
Yuval

Author:  samir [ Wed Feb 24, 2010 8:31 am ]
Post subject:  Re: Getting my secret key for yubikeys.secret field

From the information provided by you, it seems that there is some problems with tokenid.

Code:
tokenId=<the first 8 chars from the ConvertModhex.java Base64 output>


The tokenid that needs to be inserted in the database is the first 12 modhex characters of the YubiKey OTP converted into Base64 format.

We successfully installed the Java based Yubico OTP validation server in our test environment.

For testing, we reprogrammed one of our YubiKeys using the YubiKey configuration utility available for download at the link given below:

http://www.yubico.com/developers/personalization/

We used the following hex encoded parameters for reprogramming the YubiKey:
Code:
tokenId aka YubiKey ID aka Public Identity: 66005af787a3
UserId  aka Private Identity: 86137d745f3f
secret aka AES Key aka cryptographic key (shared secret): 75ff8407307fa1884d4cbc1805f9e2e0   

After reprogramming the YubiKey, the YubiKey is emitting following OTP:
Code:
hhccglvijilefbbgfcbvnfnreirvgkfgdhngcndiegtb

As we need to insert the tokenId and secret in Base64 format, we converted them to Base64 values using the Modhex Calculator available at the link given below:

http://radius.yubico.com/demo/Modhex_Calculator.php

The Base64 converted values are as follows:
Code:
tokenId (first 12 characters of the OTP aka YubiKey ID aka Public Identity i.e hhccglvijile) = "ZgBa94ej" (without quotes)
secret (AES Key i.e 75ff8407307fa1884d4cbc1805f9e2e0)  = "df+EBzB/oYhNTLwYBfni4A==" (without quotes)

We inserted these values in the OTP validation server database using the following command (userId is optional):
Code:
mysql> insert into yubikeys  (id,client_id,active,created,accessed,tokenId,secret) values (1,1,1,now(),now(),'ZgBa94ej','df+EBzB/oYhNTLwYBfni4A==');

The YubiKey record using the above mentioned insert command looks as follows:
Code:

+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+
| id | client_id | active | created             | accessed            | tokenId  | userId | secret                   | counter | low  | high | sessionUse |
+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+
|  1 |         1 |      1 | 2010-02-24 03:32:10 | 2010-02-24 03:32:10 | ZgBa94ej |        | df+EBzB/oYhNTLwYBfni4A== |       0 |    0 |    0 | NULL       |
+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+

After that we were able to successfully validate the OTPs.

We would appreciate if you can convert your tokenId and secret parameter to Base64 format, insert the YubiKey record as described above and try again.

Author:  YuvalRon [ Wed Feb 24, 2010 9:14 am ]
Post subject:  Re: Getting my secret key for yubikeys.secret field

Hi Samir

After a little more effort - the validation finally worked!

What you described is exactly what I did yesterday - but - the SQL script provided in the setup guide (yubico-val-server/db.htm) is not updated!

The reasons it kept failing were:
1. The userId column is NotNull in the provided schema but there was no value provided to that field in your SQL line:
mysql> insert into yubikeys (id,client_id,active,created,accessed,tokenId,secret) values (1,1,1,now(),now(),'ZgBa94ej','df+EBzB/oYhNTLwYBfni4A==');
This SQL will fail because it doesn't set a NN column. I worked it around by adding a default value to that column which was: '' (this is not very healthy for normal DB usage). Perhaps you can explain what is that column for if it's not in use?
2. There was no sessionUse column - I added one with INT(11) just because I saw other column with the same definition.

Please provide a corrected SQL script for the DB schema creation (recommend also to review/update the setup guide).

Thanks for your help, much appreciated
Yuval

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/