Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:59 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Sep 26, 2017 12:38 pm 
Offline

Joined: Sun Sep 24, 2017 3:10 pm
Posts: 11
I would like to add some basic Yubico OTP checking capability to an AutoIt program I would make, so that the program would only function if my yubikey is authenticated as being present. It is a scripting language that allows me to make programs without having to learn complicated programming languages.

I was experimenting with this long ago but I am clueless as to what was needed. I recall seeing some old code of mine with a hard-coded user ID of my old OTP key. I have no idea how I would get what ever my new cc built in OTP ID is or how to verify that a "successful" OTP is from my particular Yubikey and not any old Yubikey that works and was registered on the Yubico cloud.

Can someone please give me a quick readers digest of how I need to construct a get request to take input from the user, sent it to the Yubico API and get and interpret the response?

Thanks.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 26, 2017 8:16 pm 
Offline

Joined: Sun Sep 24, 2017 3:10 pm
Posts: 11
Ok, I have a working new program. I am verifying that the returned otp is the same as submitted, after a while of figuring out how to discern my Yubikey from any old successful "OK" result by checking the first 12 characters I have gotten it to validate me. Once the returned OTP is correct, the nonce is the same as submitted and the result is OK etc then it validates me as successful.

What can protect from someone setting up a localhost web server and just sending out a preset good looking result which has all the "right" bogus otp, nonce? Is there some simple hashing based thing I can do to check? I am not sure about the hashing. There is some basic hashing capability in AutoIt but I do not know the protocol of what gets hashed and with what algorithm. Is it a concatenation between multiple pieces of data being hashed? then in that case which goes first etc. I think that hash that is returned has got something to do with that API key I received, that is my theory. But I do not know how to make use of it.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group