Yubico Forum
https://forum.yubico.com/

c#.net yubicoClient question
https://forum.yubico.com/viewtopic.php?f=3&t=484		 Page 2 of 2
Author:  network-marvels [ Wed Feb 24, 2010 6:48 am ]
Post subject:  Re: c#.net yubicoClient question
Checking the hash is optional. However, Yubico recommend all production deployments use either API key or HTTPS to secure the OTP validation communication.
Author:  crash893 [ Thu Feb 25, 2010 7:55 pm ]
Post subject:  Re: c#.net yubicoClient question
bump
Author:  crash893 [ Fri Feb 26, 2010 9:13 pm ]
Post subject:  Re: c#.net yubicoClient question
.
Author:  crash893 [ Tue Mar 02, 2010 3:47 pm ]
Post subject:  Re: c#.net yubicoClient question
.
Author:  darkfader [ Tue Jun 22, 2010 12:17 am ]
Post subject:  Re: c#.net yubicoClient question
https instead of hmac verificiation is secure enough and more easy.
But anyway, check this attachment for some hmac verification code I wrote quickly if you want to implement it anyway.
Just make sure the API key is securely stored on your server! There is no way telling if someone forged an 'OK' status if they aquired this key.
Author:  bwong [ Fri Jan 20, 2012 7:54 pm ]
Post subject:  Re: c#.net yubicoClient question
I'm confused is the generated Client ID the AuthID?
Author:  Fredrik-at-Yubico [ Tue Mar 06, 2012 11:06 am ]
Post subject:  Re: c#.net yubicoClient question
You are basically right, but supporting signing the request even when SSL is used has the advantage of letting the server identify the client.

YubiCloud currently does not make use of this, but it could become important in the future to mitigate DoS attacks against the service.

Also, using HMAC signatures to validate the servers response could perhaps feel better than trusting your typical list of 100+ trusted SSL CAs. Not that you would necessarily be using such a list for validating the YubiCloud servers SSL certificates, but...

/Fredrik
Page 2 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/