Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:44 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Fri Feb 20, 2009 4:26 am 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
I got 2 Yubikeys... One is my production key, and I wanted to use the other as the static password one, then I discovered that the firmware is too old, and it does not support static password. Now that Yubikey is "bricked". It is returning a string that is not valid (though it's changing after every key press), but Yubico is not accepting it.

Is there a way you can issue me a new AES key for this device, so I can fix it with the personalization tool?

Thanks!
Phil Massyn


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Feb 20, 2009 4:19 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Hi Phil,

The YubiKey can be reprogrammed from the "One Time Password" mode to the "Static Password" mode and vice-versa.
Please note that after reprogramming, all the YubiKey counters are reset to zero. The OTP generated from the YubiKey after reprogramming can not be validated against the live Yubico Validation server even though the YubiKey is again reprogrammed with the original/new YubiKey ID and the AES key stored in the Yubico Validation server database.

Feel free to write back to us in case you face any problems.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 20, 2009 8:29 pm 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
network-marvels wrote:
Hi Phil,

The YubiKey can be reprogrammed from the "One Time Password" mode to the "Static Password" mode and vice-versa.
Please note that after reprogramming, all the YubiKey counters are reset to zero. The OTP generated from the YubiKey after reprogramming can not be validated against the live Yubico Validation server even though the YubiKey is again reprogrammed with the original/new YubiKey ID and the AES key stored in the Yubico Validation server database.

Feel free to write back to us in case you face any problems.


If that's the case, what's the purpose of being able to enter a YK and its parameters into the YMS?


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 23, 2009 5:51 am 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
network-marvels wrote:
Hi Phil,

The YubiKey can be reprogrammed from the "One Time Password" mode to the "Static Password" mode and vice-versa.
Please note that after reprogramming, all the YubiKey counters are reset to zero. The OTP generated from the YubiKey after reprogramming can not be validated against the live Yubico Validation server even though the YubiKey is again reprogrammed with the original/new YubiKey ID and the AES key stored in the Yubico Validation server database.

Feel free to write back to us in case you face any problems.

I think the firmware is too old on this key. I wanted it to be a Static Password key, but only after I tried to change it I realized that it's not capable of static password use.

I do understand the counters are reset to zero, hence the reason I'd like to know if a new AES key can be generated at Yubico that I can enter into this broken key, to return it to original working condition.

Cheers

Phil


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 23, 2009 1:20 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
The current release of the Yubico Management Server does not have any mechanism to regenerate a AES key for the existing YubiKey. Yubico is planning to add this functionality in the next release of the Yubico Management server.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 24, 2009 1:48 pm 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
I managed to revive my key. With the AES key provided by Support to me a few months back, I've been able to reprogram it, and after inserting and ejecting the key quite a few times, it finally got recognized by Yubico's backend..

Happy happy!

CHeers

Phil


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 26, 2009 3:46 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 10:24 pm
Posts: 1
Location: Cambridge, ON. Canada
Something sounds weird about this post... First it can't be done and then it works after numerous retries.. Can we get an explanation as to what squence of events took place to reinstate the key. It all sounds insecure to me.

Thanks


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 26, 2009 4:20 pm 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
Don't panic :-) The Yubikey is still very much secure....

When I purchased my 2 YKs, I asked Yubico to provide me the AES keys for both of them. I had to have the AES keys to test my own Decrypter scripts. I simply used the AES key for my test key, and programmed it again.

This particular key wasn't used a lot, and since I've coded my own Yubikey Authentication server, I knew that the recurring count was the only variable to get right (ie the counter that increments every time you insert the key into the USB), that, and I had to have the AES key. The personalization tool actually blows away the counter.

The basic idea is this : If you have the AES key, you CAN spoof a Yubikey output. That's not rocket science. When purchasing a key from Yubico, they don't provide the AES key, unless you specifically ask for it, and you can prove you actually have the keys.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group