Yubico Forum
https://forum.yubico.com/

SOLVED: Setting identical static passwords on 2 or more keys
https://forum.yubico.com/viewtopic.php?f=16&t=370
Page 1 of 2

Author:  mtudor [ Thu Aug 06, 2009 1:11 pm ]
Post subject:  SOLVED: Setting identical static passwords on 2 or more keys

Hi all,

I just received my second Yubikey this morning and I've hit a problem with the way in which I'm hoping to use them. Basically, I have fully encrypted our desktop and laptop at home using Truecrypt and a long 64 character password generated by the first Yubikey. What I'd like is for myself or my OH to be able to use either key to unlock either PC. Both PCs use the same 64 character password but I can't for the life of me figure out how to get the Yubikeys to emit the SAME 64 character password.

I had a search through the forums and what I've found so far isn't all that hopeful. Lots of people saying that I can't manually set a 64 character password on the key - is that true?

Is there any way to have the keys generate the same password? It doesn't matter what that password is as long as it is strong and preferably as long as possible!

I was wondering if I used the Yubikey config app with BOTH keys plugged into the PC, whether the same settings would be written to both or whether the application software would just pick one of them?

Does anybody have any suggestions about how I might get round this issue?

Cheers,

Mark.

Author:  mtudor [ Thu Aug 06, 2009 1:15 pm ]
Post subject:  Re: Setting identical static passwords on 2 or more keys?

mtudor wrote:
I was wondering if I used the Yubikey config app with BOTH keys plugged into the PC, whether the same settings would be written to both or whether the application software would just pick one of them?


Damn. "There is more than one Yubikey present". Then nothing unless I unplug one of them!

Author:  mtudor [ Thu Aug 06, 2009 1:24 pm ]
Post subject:  Re: Setting identical static passwords on 2 or more keys?

Looks like I can get them the same if I use "Scan ccode mode" but it's a maximum of 16 characters and I remember reading about the potential for problems with different keyboards in that mode. Not really ideal.

I've tried all I can think of for now. If anyone knows something I've missed then I'd appreciate some pointers! Thanks!

Mark.

Author:  network-marvels [ Thu Aug 06, 2009 1:36 pm ]
Post subject:  Re: Setting identical static passwords on 2 or more keys?

We can configure two YubiKeys 2.0 to emit a same static password by programming them using the same Public ID, Private ID and AES Key.

Please follow the steps below to program the YubiKeys to emit the same static password:

    1) Select "Create a static YubiKey configuration (password mode)" from "Select task" screen and click on Next
    2) Select the "Advanced mode - Specify public + secret id and key"
    3) Note down the values used and program the YubiKey
    4) Remove, the first YubiKey 2.0 and insert the other and then program the YubiKey by following the step 1 & 2 and using the already noted values

We hope this helps!

Author:  mtudor [ Thu Aug 06, 2009 2:01 pm ]
Post subject:  Re: Setting identical static passwords on 2 or more keys?

Fantastic!

That seems to work exactly as I'd want - I actually skipped the reentering stage by just replacing one yubikey with the other whilst the program is in RUN mode.

Thanks!

Author:  shart [ Fri May 14, 2010 9:14 am ]
Post subject:  Re: SOLVED: Setting identical static passwords on 2 or more keys

Hmmmm... I'm being dense here.

We are testing Yubikeys to be used in static password mode to unlock encrypted drives but obviously would like to be able to recreate a new key with same password if original is lost (obviously we have an encrypted database containing the static key).

How do I go about creating that duplicate key based on the info in this thread. I converted the original static modhex password into hex and put the first 16 bytes as a fixed value public identity, switched off the private identity (as that was only 6 bytes) and put the remaining 16 bytes as a fixed value shared secret. When I then program the new key the first 32 characters match the original but the last 32 are different??

What am I missing?

Thanks

Author:  samir [ Mon May 17, 2010 10:29 am ]
Post subject:  Re: SOLVED: Setting identical static passwords on 2 or more keys

In order to reprogram two YubiKeys to emit the same static password, you need to program both YubiKeys to static password mode using the same "Public Identity", "Private Identity" and "AES Key" and by selecting same options while programming both the YubiKeys.

Please note that the actual static password (of 32 or more characters) emitted from the YubiKey can not be used to reprogram the other YubiKey to emit the same static password as the actual static password is generated as a result of an encryption function involving the AES key and YubiKey parameters.

Hope this helps!

Author:  WinstonWolf [ Mon Jun 14, 2010 11:25 pm ]
Post subject:  Re: SOLVED: Setting identical static passwords on 2 or more keys

This is a lousy answer to this problem.

I have been using these instructions for a half hour trying to generate a decent static password and there is never enough entropy in the process. The highest rating I can get on a 64 character password is 157 bits and that was using seed data for the Public, Private and AES portions from 3 different runs of the GRC password generator while including the option to allow for upper and lower case password generation in the settings.

Meanwhile any time I evaluate the Hexadecimal 64 character password from GRC I constantly get between 120 and 130 bits and if I use the 63 random alpha-numeric characters (a-z, A-Z, 0-9) option I constantly get over 250 bits.

I would much rather use the 63 random alpha-numeric characters password generated by GRC than the lousy 157 bit 64 character password generated by the personalization program. I would say that Yubico needs to either allow us to set our own static password or at the very least improve the password generation algorithm in use for the static password generation in the personalization program.

Author:  shart [ Wed Jun 16, 2010 10:48 am ]
Post subject:  Re: SOLVED: Setting identical static passwords on 2 or more keys

Totally agree

Author:  Jakob [ Wed Jun 16, 2010 12:50 pm ]
Post subject:  Re: SOLVED: Setting identical static passwords on 2 or more keys

Okay, just let's back off a few meters here. The Yubikey is not itself a password generator and is not designed for static mode per se, it's just a practical add on. The static mode is more or less purely relying on its input at configuration time.

We use Modhex to make the passwords portable between different keyboard layouts. This effectively limits each character to just represent 16 different combinations rather than the "full range" of a keyboard. I assume a password strength checker would lower the rank of the static output due to the fact that only 16 characters are used.

We use CryptGenRandom in the Win32 API to generate random strings in the Windows configuration tool so the entropy is therefore a direct result of that output. When using "compatible output", i.e. a Yubico OTP like string, the private ID and encryption key are both generated with the same principle and are then encrypted using AES. That should not make things worse.A 32-character Modhex output gives theoretically 32 x 4 = 128 bits and 64 characters = 256 bits, given that CryptGenRandom is ideal and that the AES-128 operation does not change anything fundamentally.

It's as simple as that. I beleive that if the entropy is not good enough for your application, then CryptGenRandom is the problem

The scancode mode is currently limited to 16 character output maximum. We have been asked enough times now to increase that and we'll do it. There is a practical limit of 38 characters in the output and we'll aim for that.

Thanks for your input. Please let me know if you feel we've neglected something.

With the best regards,

JakobE
Hardware- and firmware guy @ Yubico

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/