Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:23 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Wed Jun 18, 2008 4:30 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
We received this question in e-mail:

Quote:
With firmware version 1.3.0 will you be supporting both the one time
password and the locally authenticated login.

I see a device where for sites that you control or support the Yubikey only
the OTP is used and for other sites a 32-character string is used.
Is it necessary for the authentication server to support the static password
as it can only work for sites that support Yubikey?


The answer is that with firmware 1.3.0 each particular yubikey can be programmed to work in either static OTP mode, or in "normal" OTP mode. The yubikey doesn't know which site you visit, and in particular whether it supports real OTPs or not, so you can't use the same yubikey for both static OTPs and for normal OTPs. You can however use two different yubikeys, one that is static and works against all pre-yubikey-ified sites, and one dynamic that works against sites that call out to a server.

If an authentication server knows the AES key in your yubikey, it will be able to decrypt even static OTPs. However, the plaintext fields will be fixed (0xFF) so a normal server would reply REPLAYED_OTP after the first use. Servers could detect that the OTP is a static one and return a special error code, but we haven't seen a need for this yet.

I hope this answers the question.

/Simon


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jul 09, 2008 11:29 pm 
Offline

Joined: Mon Jun 09, 2008 8:37 pm
Posts: 9
can the mode be switched after it is initally programmed? (from OTP to random and back)


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 10, 2008 11:22 pm 
Offline

Joined: Thu Jul 10, 2008 11:01 pm
Posts: 2
I am also wondering about this. Static OTP could be very useful in quite a few cases.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 12, 2008 3:19 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Please see here:

viewtopic.php?f=2&t=133&p=430#p430

Cheers

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 15, 2008 8:58 pm 
Offline

Joined: Mon Jun 16, 2008 7:16 pm
Posts: 2
hi, i've been reading a bit about converting a 1.3 version key to STATIC passwd but my key is a version 1.1 key.

can i download a utility to upgrade my key? thanks in advance,

george


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 17, 2008 5:20 pm 
Offline

Joined: Mon Jun 16, 2008 7:16 pm
Posts: 2
okay, i bought another key, a 1.3 firmware unit, and now have personalized it and changed the ykFlagProperty->ykFLAG_STATIC_TICKET per the instructions here: viewtopic.php?f=2&t=133&p=430#p430

i notice 2 changes in behavior for the yubikey. 1) the generated passwd is 32 chars instead of the original 44 and 2) the new static passwd doesn't have a CR appended to it (at least in my testing using notepad and textedit on my mac).

is this correct behavior? thanks in advance, george


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 19, 2008 6:42 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
A series of relevant questions - we should have provided more primers on how to configure Yubikeys using our Windows configuration API. I'll return in this matter in a separate thread later on, but just a few initial points:

Pro primo - Remember that using the configuration API destroys the pre-configured static ID and the AES key. After a programming operation, the key won't work against our authentication server any more.

Pro secundo - remember that the code provided with the configuration component is sample code only. The plan was to make the code as clean as possible in order to describe the concept rather than messing it down with lots of logic. We'll provide a more polished "production like" app soon.

Pro tertio - Don't be concerned that people will be able to sabotage Yubikeys using the configuration component. Keys used in a production environment are usually provided with the configuration lock set.

Pro quarto - Don't forget the YubiKey Integrators' Guide PDF provided together with the component describing the overall programming model.


Now, let's go over to the question itself

The configuration component works by the means of properties, which all are blank or false or by default. The default state can be restored with the ykClear method.

Calling ykProgram without setting any of the parameter "kills" the Yubikey and puts it into unconfigured state. This is indicated by the Yubikey LED flashing shortly every three seconds. Programming a valid configuration restores the LED to steady green.

The OTP part is 128 bits = 16 bytes = 32 modhex characters and that one is always sent. This means that if no static ID is set, only 32 characters will be sent. Our evaulation keys are programmed with a 6 byte static ID = 12 modhex characters. Together with the OTP, this equals 32 + 12 = 44 characters. The evaulation keys further have the ykFLAG_APPEND_CR flag set, which means that a trailing CR will be sent.

In order to configure a static OTP key with output in line with the evaulation keys, the following steps should be performed

ykClear
ykStaticID = "010203040506"
ykFlagProperty(ykFLAG_APPEND_CR) = True
ykFlagProperty(ykFLAG_STATIC_TICKET) = True
ykProgram

The Yubikey shall now yield a 44 character static OTP which is cbcdcecfcgchncejelrjvjvvciclerknrlihnteljrcb


Hope this sorts out the open questions

Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group