Yubico Forum :: View topic - [SOLVED] ykchalresp: Can not get the same response in python

# ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Firmware version 2.2.3 Touch level 1795 Program sequence 3

Passphrase to create AES key: lsjdkflksdjf
Configuration data to be written to key configuration 2:

fixed: m:
uid: n/a/
key: h:a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32
acc_code: h:000000000000
OATH IMF: h:0
ticket_flags: CHAL_RESP
config_flags: CHAL_HMAC|HMAC_LT64
extended_flags: SERIAL_API_VISIBLE

ykchalresp -2 -x 57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a
cef9198f3a2d9a378289096da646b7c165090d60

import hmac
import binascii
import hashlib
key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32"
chal = "57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a"
hmac.new(binascii.unhexlify(key), binascii.unhexlify(chal), hashlib.sha1).hexdigest()
'd8352dc4a5ce33639801fb2e2fa87444dbcae55e'

cornelius@puckel ~/src/python-yubico/examples (git)-[master] % python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hmac
>>> import binascii
>>> import hashlib
>>> import os
>>> key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32"
>>> chal = os.urandom(32)
>>> print binascii.hexlify(chal)
d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873
>>> hmac.new(binascii.unhexlify(key), chal, hashlib.sha1).hexdigest()
'c7f7a081d06a738f913dce36b538091adc6d2e93'
>>> quit()
cornelius@puckel ~/src/python-yubico/examples (git)-[master] % ykchalresp -2 -x d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873
c7f7a081d06a738f913dce36b538091adc6d2e93

Cfg = YK.init_config()
key = binascii.hexlify(os.urandom(20))
Cfg.mode_challenge_response('h:' + key, type="HMAC")
Cfg.ticket_flag('APPEND_CR', False)
Cfg.extended_flag('SERIAL_API_VISIBLE', True)
YK.write_config(Cfg, slot=slot)

Cfg = YK.init_config()
key='h:303132333435363738393a3b3c3d3e3f40414243'
fg.mode_challenge_response(key, type='HMAC', variable=True)
Cfg.extended_flag('SERIAL_API_VISIBLE', True)
YK.write_config(Cfg, slot=slot)

% ykchalresp -2 -H -x 175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781
2008b987214e073127006e4166ef189242dbf035

cornelius@puckel ~/src/privacyideaadm (git)-[master] % python
Python 2.7.6 (default, Mar 22 2014, 22:59:56)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import yubico
>>> import sys
>>> YK=yubico.find_yubikey()
>>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781"
>>> import binascii
>>> chal = binascii.unhexlify(chal_hex)
>>> YK.challenge_response(chal, slot=2)
" \x08\xb9\x87!N\x071'\x00nAf\xef\x18\x92B\xdb\xf05"
>>> binascii.hexlify(YK.challenge_response(chal, slot=2))
'2008b987214e073127006e4166ef189242dbf035'
>>>

>>> hexkey="7b6b585de517c96560f5bd0db211ea58ba1500ca"
>>> import binascii
>>> import hashlib
>>> import hmac
>>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781"
>>> binascii.hexlify(hmac.new(binascii.unhexlify(hexkey), binascii.unhexlify(chal_hex), hashlib.sha1).digest())
'b8a53bf4d40db429029e89bfc5cd6057645b3ea6'

Author:	corny [ Sat Jul 12, 2014 8:44 pm ]
Post subject:	[SOLVED] ykchalresp: Can not get the same response in python
Hi, I am playing around with the yubikey in challenge response and try to reproduce it in python. I initialize the yubikey like this: Code: # ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible Firmware version 2.2.3 Touch level 1795 Program sequence 3 Passphrase to create AES key: lsjdkflksdjf Configuration data to be written to key configuration 2: fixed: m: uid: n/a/ key: h:a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32 acc_code: h:000000000000 OATH IMF: h:0 ticket_flags: CHAL_RESP config_flags: CHAL_HMAC\|HMAC_LT64 extended_flags: SERIAL_API_VISIBLE I take it, that a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32 is the stored hmac key. Now I run: Code: ykchalresp -2 -x 57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a cef9198f3a2d9a378289096da646b7c165090d60 Simuliation this in python I get another response: Code: import hmac import binascii import hashlib key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32" chal = "57642f9efa71d159181c0f3bbc93a84ccb8d378782e09eae21695395b441f5a22a3f35d46ee596fbab39e38d3fc0c4841780996fd272845af4d92cc31bf5134a" hmac.new(binascii.unhexlify(key), binascii.unhexlify(chal), hashlib.sha1).hexdigest() 'd8352dc4a5ce33639801fb2e2fa87444dbcae55e' What am I missing here? Thanks a lot and kind regards Cornelius

Author:	corny [ Sun Jul 13, 2014 7:33 am ]
Post subject:	[SOLVED] Re: ykchalresp: Can not get the same response in py
So tell me! Why does 32byte challenges work although the yubikey claims to process 64 byte challenges? Code: cornelius@puckel ~/src/python-yubico/examples (git)-[master] % python Python 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import hmac >>> import binascii >>> import hashlib >>> import os >>> key = "a60f076ca60e6d966f3bdcdc96f5e94c3c8efc32" >>> chal = os.urandom(32) >>> print binascii.hexlify(chal) d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873 >>> hmac.new(binascii.unhexlify(key), chal, hashlib.sha1).hexdigest() 'c7f7a081d06a738f913dce36b538091adc6d2e93' >>> quit() cornelius@puckel ~/src/python-yubico/examples (git)-[master] % ykchalresp -2 -x d1835d598bc20c4ce8312ba94f046a015f7a70c48631b88f29922f1183e77873 c7f7a081d06a738f913dce36b538091adc6d2e93 So I need to be content with 32 bytes. Kind regards Cornelius

Author:	Tom [ Mon Jul 14, 2014 9:01 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -a 303132333435363738393a3b3c3d3e3f40414243 HMAC-SHA1 challenge-response This method allows a challenge of up to 64 bytes (512 bits) to be hashed using the HMAC-SHA1 algorithm with a 20-byte (160 bits) secret

Author:	corny [ Mon Jul 14, 2014 9:54 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
Hi Tom, yes, I read this, but when I use 64bytes, it does not work - while it works fine with 32bytes. I am willing to provide you any additional information! Kind regards Cornelius

Author:	Tom [ Mon Jul 14, 2014 10:41 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
can you use KATs (Known Answer Tests) NIST PUB 198 A.2 test vectors? http://opensource.yubico.com/yubikey-pe ... esp.1.html

Yubico Forum https://forum.yubico.com/

[SOLVED] ykchalresp: Can not get the same response in python https://forum.yubico.com/viewtopic.php?f=30&t=1425	Page 1 of 1

Author:	corny [ Mon Jul 14, 2014 11:21 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
Hi Tom, this test runs perfectly. But this challenge is <=32bytes. And as soon as I use a challenge >32btes <=64bytes the python code does not produces the same result as the ykchalresp! Kind regards Cornelius

Author:	Tom [ Fri Jul 18, 2014 7:23 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
use ykchalresp.exe -1 -H -x program the yubikey with the GUI Could you use our Python code https://github.com/Yubico/python-yubico ... e_response also, what version is your Yubikey firmware?

Author:	corny [ Fri Jul 18, 2014 9:40 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
Hi Tom, (Read to the end, before clicking links - I have the error (my error) narrowed down) I am running this python code to initialize the yubikey: https://github.com/privacyidea/privacyi ... yubikey.py roughlty it does this in MODE_OATH and challenge_response==True: Code: Cfg = YK.init_config() key = binascii.hexlify(os.urandom(20)) Cfg.mode_challenge_response('h:' + key, type="HMAC") Cfg.ticket_flag('APPEND_CR', False) Cfg.extended_flag('SERIAL_API_VISIBLE', True) YK.write_config(Cfg, slot=slot) which pretty much looks the same to me like this https://github.com/Yubico/python-yubico ... t_test_key: Code: Cfg = YK.init_config() key='h:303132333435363738393a3b3c3d3e3f40414243' fg.mode_challenge_response(key, type='HMAC', variable=True) Cfg.extended_flag('SERIAL_API_VISIBLE', True) YK.write_config(Cfg, slot=slot) But still it does not work out for me. The command line tool creates another response, than my python program does... Code: % ykchalresp -2 -H -x 175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781 2008b987214e073127006e4166ef189242dbf035 OK, using my initialized key with some very basic python code: Code: cornelius@puckel ~/src/privacyideaadm (git)-[master] % python Python 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import yubico >>> import sys >>> YK=yubico.find_yubikey() >>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781" >>> import binascii >>> chal = binascii.unhexlify(chal_hex) >>> YK.challenge_response(chal, slot=2) " \x08\xb9\x87!N\x071'\x00nAf\xef\x18\x92B\xdb\xf05" >>> binascii.hexlify(YK.challenge_response(chal, slot=2)) '2008b987214e073127006e4166ef189242dbf035' >>> Well! This looks fine and produces the same response! So now I know the following: 1. My initialization is working fine. 2. My Yubikey is working fine 3. My response verification code has a problem with challenges larger than 32 bytes.... Thanks for you patience and help. I will look into this. Kind regards Cornelius

Author:	corny [ Fri Jul 18, 2014 10:01 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
Hm, I did some more digging: The Yubikey calculates an HMAC SHA1 with the challenge. So this is roughly my verification code: Code: >>> hexkey="7b6b585de517c96560f5bd0db211ea58ba1500ca" >>> import binascii >>> import hashlib >>> import hmac >>> chal_hex="175ff6a6b675906d748b2a2b74dce6dc2f065685f4a69caa7f65e2167015745f4162f1b508d1eef7f5b319cf4bf3f435daca4e387152005e253e4694e9091781" >>> binascii.hexlify(hmac.new(binascii.unhexlify(hexkey), binascii.unhexlify(chal_hex), hashlib.sha1).digest()) 'b8a53bf4d40db429029e89bfc5cd6057645b3ea6' Indeed the 64 byte response of the python hmac libraray does not match the 64 byte response of the Yubikey. The python HMAC lib and the Yubikey itself get the same responses for 32 byte, but not for 64 byte. Thats bad, but at least I know the reason for this... I tested this on Ubuntu 14.04LTS, with python 2.7.6. Kind regards Cornelius

Author:	Klas [ Mon Jul 28, 2014 7:48 am ]
Post subject:	Re: [SOLVED] ykchalresp: Can not get the same response in py
Hello, You seem to be using the hmac-lt64 option when programming the YubiKey. When this option is in effect the challenge is limited to 63 bytes, but may be less and any challenge longer than 63 bytes will be truncated to 63. I've verified with a 2.2.3 key and a piece of perl that it behaves correctly with challenges up to 63 bytes. There might be bugs in the yubico-python code, so it'd be good if you could verify with both that and the ykchalresp utility. /klas

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/