Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Feb 22, 2010 3:09 pm 
Offline

Joined: Mon Feb 22, 2010 2:55 pm
Posts: 3
Hello

I'm currently trying to work with the wsapi validation server, i'm using the Java version with Tomcat 6 and MySQL.
I am working with the server setup tutorial at:
yubico-val-server/setup.htm

I have successfully built the schema and deployed the validation server to Tomcat.

However, in section 6 "Import Yubikey records into the database.", it says I should get the Device ID (successfully got it from ConvertModhex [OTP] ) and the secret key.
About providing the secret key, it says:
"The secret is requested from the privisioning party or from Yubico directly. It is b64-encoded. An example looks like 'jHFA3cWwEd.....xEo742R4=' "

So my questions are:
1. Who (or what) should I talk to in Yubico, to get my secret key? I can provide a valid OTP of course.
2. Just to make sure, is the secret key going to the secret field in yubikeys table in b64?
3. Is that key the actual AES key of my device?

Thanks,
Yuval


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Feb 23, 2010 10:18 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Please find answers to your questions as follows:

1. Who (or what) should I talk to in Yubico, to get my secret key? I can provide a valid OTP of course.

Answer:

In order to streamline the process for users who want to program their own AES keys in YubiKeys and still have a working key online we have changed the process of handling AES Keys at the online validation server.

At the high level you will no longer be able to copy or download the individual AES key from the YMS server. Instead if you need access to the AES key, you will have to use a YubiKey programming tool (YubiKey Configuration utility) to program your own AES key into a YubiKey and then upload the same AES key(s) to the server (to be used online) using the following link:

http://www.yubico.com/developers/aeskeys/

The step by step instructions for uploading the AES Key can be found at the following forum link:

viewtopic.php?f=2&t=402&p=1754

2. Just to make sure, is the secret key going to the secret field in yubikeys table in b64?

Answer:

The secret key aka AES Key will be stored in the "secret" field of "yubikeys" table in base64 format.

3. Is that key the actual AES key of my device?

Answer:

The secret key aka AES key stored in the "yubikeys" table is actually the AES Key of your YubiKey.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 23, 2010 5:18 pm 
Offline

Joined: Mon Feb 22, 2010 2:55 pm
Posts: 3
Thanks Samir

I completed the AES generation successfully with YubikeyConfig 2.1 - but I still don't manage to validate my Yubikey on my local server.

I send the following:
http://localhost:8080/yubikey-server-j/verify?id=1&otp=<YUBIKEY_OTP>

But keep getting response:
t=2010-02-23T17:56:03Z0599
status=BAD_OTP
h=A16px0d0pV9IclCwjEGa8b4xnYg=


I uploaded the AES key with the other identity details to the Yubico server and tested it - the online Yubico server validates the OTPs fine - which makes me think I didn't put the correct data in my DB "yubikeys" table.

Here is what I put into the table:
id=1
client_id=1
active=1
created='2010-02-22 13:38:00'
accessed='2010-02-22 13:38:00'
tokenId=<the first 8 chars from the ConvertModhex.java Base64 output>
userId=1
secret=<the AES key -but I don't have it in base64>
counter=NULL
low=NULL
high=NULL

Looks like my AES key is in Hex because it is a string that has 32 0-9 and a-f digits.

I tried to convert it to Base64 by http://www.yubico.com/demo/Modhex_Calculator.php (btw it's linked to RADIUS.yubico.com... from http://www.yubico.com/developers/modhex/ which is broken) but appearantly the calculator doesn't work - the php script always throws an exception.
Other calculators converted to base64 but the converted string didn't respond correctly either - I still get BAD_OTP response.

Please help - what should be the values in each field (should counter, low and high be other than NULL?) and how do I convert my AES to Base64?

Thanks,
Yuval


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 24, 2010 8:31 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
From the information provided by you, it seems that there is some problems with tokenid.

Code:
tokenId=<the first 8 chars from the ConvertModhex.java Base64 output>


The tokenid that needs to be inserted in the database is the first 12 modhex characters of the YubiKey OTP converted into Base64 format.

We successfully installed the Java based Yubico OTP validation server in our test environment.

For testing, we reprogrammed one of our YubiKeys using the YubiKey configuration utility available for download at the link given below:

http://www.yubico.com/developers/personalization/

We used the following hex encoded parameters for reprogramming the YubiKey:
Code:
tokenId aka YubiKey ID aka Public Identity: 66005af787a3
UserId  aka Private Identity: 86137d745f3f
secret aka AES Key aka cryptographic key (shared secret): 75ff8407307fa1884d4cbc1805f9e2e0   

After reprogramming the YubiKey, the YubiKey is emitting following OTP:
Code:
hhccglvijilefbbgfcbvnfnreirvgkfgdhngcndiegtb

As we need to insert the tokenId and secret in Base64 format, we converted them to Base64 values using the Modhex Calculator available at the link given below:

http://radius.yubico.com/demo/Modhex_Calculator.php

The Base64 converted values are as follows:
Code:
tokenId (first 12 characters of the OTP aka YubiKey ID aka Public Identity i.e hhccglvijile) = "ZgBa94ej" (without quotes)
secret (AES Key i.e 75ff8407307fa1884d4cbc1805f9e2e0)  = "df+EBzB/oYhNTLwYBfni4A==" (without quotes)

We inserted these values in the OTP validation server database using the following command (userId is optional):
Code:
mysql> insert into yubikeys  (id,client_id,active,created,accessed,tokenId,secret) values (1,1,1,now(),now(),'ZgBa94ej','df+EBzB/oYhNTLwYBfni4A==');

The YubiKey record using the above mentioned insert command looks as follows:
Code:

+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+
| id | client_id | active | created             | accessed            | tokenId  | userId | secret                   | counter | low  | high | sessionUse |
+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+
|  1 |         1 |      1 | 2010-02-24 03:32:10 | 2010-02-24 03:32:10 | ZgBa94ej |        | df+EBzB/oYhNTLwYBfni4A== |       0 |    0 |    0 | NULL       |
+----+-----------+--------+---------------------+---------------------+----------+--------+--------------------------+---------+------+------+------------+

After that we were able to successfully validate the OTPs.

We would appreciate if you can convert your tokenId and secret parameter to Base64 format, insert the YubiKey record as described above and try again.


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 24, 2010 9:14 am 
Offline

Joined: Mon Feb 22, 2010 2:55 pm
Posts: 3
Hi Samir

After a little more effort - the validation finally worked!

What you described is exactly what I did yesterday - but - the SQL script provided in the setup guide (yubico-val-server/db.htm) is not updated!

The reasons it kept failing were:
1. The userId column is NotNull in the provided schema but there was no value provided to that field in your SQL line:
mysql> insert into yubikeys (id,client_id,active,created,accessed,tokenId,secret) values (1,1,1,now(),now(),'ZgBa94ej','df+EBzB/oYhNTLwYBfni4A==');
This SQL will fail because it doesn't set a NN column. I worked it around by adding a default value to that column which was: '' (this is not very healthy for normal DB usage). Perhaps you can explain what is that column for if it's not in use?
2. There was no sessionUse column - I added one with INT(11) just because I saw other column with the same definition.

Please provide a corrected SQL script for the DB schema creation (recommend also to review/update the setup guide).

Thanks for your help, much appreciated
Yuval


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group