Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:07 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Tue May 28, 2013 2:33 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
Hi,

the OpenPGP applet on Yubikey Neo no longer accepts the user PIN and the PIN try counter won't decrease from 3 even if I enter wrong PIN. It happened after unblocking the PIN once via "gpg --change-pin", any operation requiring user PIN like signing no longer works.

From "gpg --card-status" (gnupg 2.0.19 on Scientific Linux 6.4) :

Code:
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: NFCTest Yubikey
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 6
Signature key ....: EBE7 BBA6 0F98 FEC5 38A7  9AE5 D24B 3700 FE6A 4090
      created ....: 2013-05-23 09:07:45
Encryption key....: 912C A861 FCBC CC33 4A3C  84F4 9F28 C5C9 C031 CCB5
      created ....: 2013-05-23 09:07:45
Authentication key: 5874 40A4 D735 F0D4 FD88  492C 2A16 94A5 3DC1 DDD4
      created ....: 2013-05-23 09:07:45
General key info..: pub  2048R/FE6A4090 2013-05-23 Neokey <yubi@nowhere.cz>
sec>  2048R/FE6A4090  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001
ssb>  2048R/3DC1DDD4  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001
ssb>  2048R/C031CCB5  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001


Strangely enough, admin PIN still works (also admin PIN try counter works), e.g. I can change name using admin commands. However user PIN still doesn't work even if changed/unblocked via 'gpg --change-pin', see below.

The result is the same whether using NFC or connecting via USB CCID. Sniffing and checking out some authenthication APDUs, I pasted them from pcscd log:

Authentication with user PIN (PW1) always fails:
Code:
APDU: 00 A4 04 00 06 D2 76 00 01 24 01  #select OpenPGP app - ok
SW: 90 00

APDU: 00 20 00 81 06 31 32 33 34 35 36 # user PIN fail, now always says there's 3 tries left, even if wrong PIN is supplied
SW: 63 C3


But admin PIN seems OK, it looks it will even let us change user PIN:
Code:
APDU: 00 A4 04 00 06 D2 76 00 01 24 01  #select OpenPGP app - ok
SW: 90 00

APDU: 00 20 00 83 08 31 32 33 34 35 36 37 38  #authenthicate with admin PIN 12345678 - ok
SW: 90 00

APDU: 00 2C 02 81 06 31 32 33 34 35 36 # change/reset PIN (PW1) to 123456 - seems ok
SW: 90 00


But even after "changing PIN" the auth with the user PIN still fails in the same way - returns SW 63 C3.


Last edited by hiviah on Tue Jun 04, 2013 4:17 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jun 03, 2013 12:52 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Yes, there was a bug in unblock with admin pin in the openpgp applet (https://github.com/Yubico/ykneo-openpgp ... 473319de12). It is fixed in the source repo and new Neos sent out have the fix.

If you are interested in reloading the openpgp applet yourself there are instructions for building and loading it at https://github.com/Yubico/ykneo-openpgp (alternatively you can download it pre-built from http://static.yubico.com/var/uploads/fi ... gpcard.cap sha1sum: 06290c8f52ea4711157d26400aaf3670816bd147). Please note that reloading the applet will clear it of all generated keys.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 04, 2013 3:05 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
Thanks, that worked.

I used gpshell to upload new version of openpgpcard.cap (via RFID reader). The unblocking now works as expected.


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 02, 2013 9:09 pm 
Offline

Joined: Fri Aug 02, 2013 9:06 pm
Posts: 1
klas-
every time i download i get a different sha1sum
8a2e02bf21b05751216ddb6380833329a75500f2 openpgpcard.cap

can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.


Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 04, 2013 9:45 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
kylef wrote:
every time i download i get a different sha1sum
8a2e02bf21b05751216ddb6380833329a75500f2 openpgpcard.cap

can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.


Yes, they have uploaded a new version as of July 4th, I get identical SHA1 hash. I couldn't test it yet, but using gpshell to upload new app version should only affect the OpenPGPcard application and nothing else (thus nearly zero chance of bricking the Yubikey Neo token). Nevertheless, it would be a good idea for Yubico to use SSL/TLS for downloads as well as forums. We are playing security game here, right? :-)


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 05, 2013 10:17 am 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
kylef wrote:
can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.


I've just tried to upload the new version having SHA1 hash 8a2e02bf21b05751216ddb6380833329a75500f2 and I can confirm it works.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group