Yubico Forum https://forum.yubico.com/ |
|
Purpose of UID/SecretID in OTP? https://forum.yubico.com/viewtopic.php?f=5&t=222 |
Page 1 of 1 |
Author: | chaeron [ Fri Jan 09, 2009 11:51 pm ] |
Post subject: | Purpose of UID/SecretID in OTP? |
I've been reviewing the validation server code, and was curious what the UID (also called SecretID), 6-byte field in the decrypted OTP is intended to be used for? The Validation Server logic does not seem to use it for validation. Is this something that is unique to each yubikey? Should we store it in our database and use it for yet another validation test, checking to make sure the values match? Thanks! |
Author: | Jakob [ Sat Jan 10, 2009 6:48 pm ] |
Post subject: | Re: Purpose of UID/SecretID in OTP? |
The intended usage is when a collection Yubikeys share the same AES key. Assume a case where the public id (fixed part) is set to zero bytes. The OTP is then 128 bits = 32 modhex characters. The server decrypts all keys in the collection using the same AES key and uses the private id (uid) to determine the user's id. If not used in this context, such as how the Yubico authentication server setting works, the private id (uid) is typically set to a random string. Although not needed, the server application can verify this number. With the best regards, JakobE Hardware- and firmware guy @ Yubico |
Author: | chaeron [ Mon Jan 19, 2009 12:16 am ] |
Post subject: | Re: Purpose of UID/SecretID in OTP? |
Thanks Jacob. We've decided to use the internal UID as an extra authentication check. Never thought to use common AES keys....probably more security risk that way, since getting your hands on the key then lets you crack multiple hardware keys, but an interesting idea nonetheless. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |