Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:16 am

All times are UTC + 1 hour

Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Feb 19, 2014 9:42 am 

Joined: Wed Feb 19, 2014 9:34 am
Posts: 2
I got the protocol working pretty first, so that's all good. But for increased security, we'd like to add the 'h' parameter to the url, but no matter what I try, I always get the response "BAD_SIGNATURE".

As for now, I am using this site to generate the signature: https://quickhash.com/ Algorithim is SHA1 with "Use HMAC Method?" checked and output set to Base64.
The HMAC key I use is the 'Secret Key' I get from https://upgrade.yubico.com/getapikey/.
The id parameter in the url is also from the /getapikey site.

If I input this in the quickhash input box: id=15401&nonce=askjdnkajsndjkasndkjsnad&otp=ccccccdbrldiifthrjbbjlvgkcguceiheninhbubtgil
And then click generate I get this output: by7jCdAlZI1osGspmzHIGQEjnZ4=

So I go to this url: http://api.yubico.com/wsapi/2.0/verify? ... HIGQEjnZ4=

And get this response:

Any and all help would be appreciated!

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 19, 2014 1:28 pm 
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key.

Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), and sorted in alphabetical order of the keys. More precisely, to generate a message signature do:

1- Alphabetically sort the set of key/value pairs by key order.
2- Construct a single line with each ordered key/value pair concatenated using '&', and each key and value contatenated with '='. Do not add any linebreaks. Do not add whitespace. For example: `a=2&b=1&c=3`.
3- Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key.
4- Base 64 encode the resulting value according to RFC 4648, for example, `t2ZMtKeValdA+H0jVpj3LIichn4=`.
5- Append the value under key 'h' to the message.[/list]


Reply with quote  
PostPosted: Wed Feb 19, 2014 1:35 pm 

Joined: Wed Feb 19, 2014 9:34 am
Posts: 2
While being thankful for your reply, I'm afraid that I cannot use it for anything, since I've already read the guide from where you copy/pasted the steps.
I followed every step the best I could, but still nothing.

Reply with quote  
PostPosted: Tue Mar 04, 2014 10:19 am 
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148

That site isn't doing base64 decoding of your key..

Let's do a little example..

We're using id 15618 and key Eibja2kRFXXoW6hjZaiyBtWnCBA=
With the string id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge quickhash.com gives us XsQI1OJZ+R0KsAokpdAAhHQQavQ= but the correct signature is Jt19GpDOAraTYRFBHSofYZFEwjE=

https://api.yubico.com/wsapi/verify/2.0 ... ofYZFEwjE=
https://api.yubico.com/wsapi/verify/2.0 ... AAhHQQavQ=

and finally some perl code:

use Digest::SHA qw(hmac_sha1);
use MIME::Base64;

my $key = decode_base64("Eibja2kRFXXoW6hjZaiyBtWnCBA=");
my $string = "id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge";
my $sig = encode_base64(hmac_sha1($string, $key));
$string .= "&h=$sig";
warn $string;


Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group