Yubico Forum

After a long fight to get GPShell working and my 3000000+ Neo in to a fit state to upload an OATH applet to, I am stuck at what feels like the final hurdle. The upload script fails on the connect command.

My card is in the m82 mode.

I have added keys to my neo with gpg, and gpg --card-edit shows these clearly:

Application ID ...: D2760001240102000006002DC6F40000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 002DC6F4
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ....: 1F56 A992 5577 66F3 CEEB E6D0 8EC0 7DDF 100F D182
created ....: 2014-07-20 20:25:20
Encryption key....: 86C5 EC26 501B A2F9 5A3E 31CB 9BC3 13F9 0A97 3908
created ....: 2014-07-20 20:25:20
Authentication key: 142D C757 A906 475C F56F CE34 E1DF 7D9F D086 0530
created ....: 2014-07-20 20:25:20
General key info..:
pub 2048R/100FD182 2014-07-20 My Name (test) <xxxxx@xxxxx.com>
sec> 2048R/100FD182 created: 2014-07-20 expires: never
card-no: 0006 002DC6F4
ssb> 2048R/D0860530 created: 2014-07-20 expires: never
card-no: 0006 002DC6F4
ssb> 2048R/0A973908 created: 2014-07-20 expires: never
card-no: 0006 002DC6F4

I have edited the OATH gpinstall.txt file to point correctly to the supplied .CAP file to contain the keys above. But I always get:

mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F658408A000000003000000A5599F6501FF9F6E06479112103800734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 142DC757A906475CF56FCE34E1DF7D9FD0860530 -enc_key 86C5EC26501BA2F95A3E31CB9BC313F90A973908
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664C734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
Command --> 80500000088376364DA61E2E0300
Wrapped command --> 80500000088376364DA61E2E0300
Response <-- 00003319002063970936FF020002BD279D5ADBCA986DD27B982077549000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)

Any suggestions very welcome as I'm getting to the point of adjusting the my new NEO with a hammer!

_____________

gpinstall.txt:

mode_211
enable_trace

establish_context
card_connect
select -AID a000000003000000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 142DC757A906475CF56FCE34E1DF7D9FD0860530 -enc_key 86C5EC26501BA2F95A3E31CB9BC313F90A973908

delete -AID a000000527210101
delete -AID a0000005272101

install -file /home/rob/Downloads/ykneo-oath-0.2.1.cap -instParam 00 -priv 00
card_disconnect
release_context

Hello,

Please refer to this blog post http://www.yubico.com/2014/07/yubikey-neo-updates/

If you don't have a developer NEO you wont be able to access Yubico applets or add your own.

_________________
-Tom

Tom, thank you for getting back to me so quickly. I'd like to point out a couple of things.

Your blog post gives this information that is relevant to owners of new Yubikeys:

(Old NEOs:) "the card manager keys were set to a single value to facilitate development."
Yubikeys are "no longer configured with the fixed card manager keys."
"We are setting up a YubiKey NEO Developers program for you to order YubiKey NEO “Developer Edition” that come with the known card manager keys" (from "What does this mean if you want to develop applets")

Nowhere on your site, except your answer above says that new NEOs cannot use applets as advertised in the core features. Not the OATH help files, not your product information page, not the android app, not this forum, not the blog. Nowhere.

If you think I'm being stupid then I would give you this reasoned explanation of why a user would conclude that a new NEO could use the apps (I will ignore that fact that it is advertised as being able to):

- There is now a NEO and a developer edition. I am not a developer. I want to use the standard apps - conclusion? No problem. If they were called the "standard" and "restricted" versions then I may think otherwise.
- There is lots of information on the internet and here about how to set keys on Yubikeys using gpshell so it seems that there is no problem with a lack of default keys.
- When you set up your keys you are prompted to change the default admin PIN (this means I don't have to worry about attackers being able to do whatever I can (as they would with the default setup and as referred to in your blog))
- The gpinstall.txt file supplied with OATH applet has a connect line containing the default keys which can obviously be edited to non-default ones (this would in fact appear to be the answer to the same problem as mine in a previous thread.)
- Somewhere is says that the Neo manager can't be used with the new NEOs. Nowhere does it say that the same applies to uploading applets using gpshell.
- and to repeat my main point above - nowhere on here is the really important piece of information given, or even implied that new NEOs don't have the advertised features.

Need I say that it took me a while to cool down before writing this. Please make it clear to customers that new NEOs don't do X,Y,Z to avoid a lot of wasted time and frustration. It is a job of minutes for you to do.

I think there is some confusion here.

Your Yubikey NEO, already comes with OpenPGP, YubiOATH(Yubico Authenticator) and PIV installed so you can start using Yubico's applet right away.
The developer program is for those customers who would like to upload their custom applets on the Yubikey NEO.

If we failed to communicate this to you, then we apologize and I will forward your comments to our website/PR team to make it more clear for everyone.

This is a very recent change and lots of resources are currently working on major project and the right way of communicating the changes may have slipped out of our hands.

Please, let me know if I misunderstood you.

_________________
-Tom

hi Tom,

sorry for the slow reply and thanks for yours! Now I hang my head as yes, my NEO does work fine with the Autherticator app, although I just got connection error messages previously which is when I started on the long road to trying to install the Applet. I wonder if the cure to my original issue was my adding keys to the NEO or I just screwed something up first time round.

Better docs would be good, yes. Hopefully this thread will help.

Thank

I totally support hqarrse, he's right from all points of view. Since many things are changing lately it should be clear that NEO's up to serial number XXXX / shipping date XXXXX support this and don't support that.

An informed customer is a happy customer. As to the announcement on the blog ... what can i say, i relied mostly on your official site rather then the blog.