Yubico Forum

I'm playing around with the C# example

I unfortuantly do not understand what its asking for when it asks for the auth_id

The program asks for

auth_id and otp

I assume that otp is one time password and the data that i enter with the yubikey
but where do i find the auth_id?

We are assuming that you are asking about the Auth_ID which is mentioned in the ReadMe file of the Yubico .Net client available at the following link:

http://code.google.com/p/yubico-dot-net ... eadMeFirst

Please correct us if we are wrong.

The normal Yubico OTP validation request that needs to be sent to the online Yubico OTP validation server is as follows:

https://api.yubico.com/wsapi/verify?id=<ID Parameter>&otp=<YubiKey OTP>

Auth_ID required for the Yubico .Net client is the id parameter required for validating the Yubico OTP with the online Yubico OTP validation server. Also, this id parameter can be used for optionally signing the OTP validation request using the API Key. For more information about the API Key and id parameter, please visit the following link:

http://www.yubico.com/developers/api/

You can generate your own id parameter using the following link:

https://api.yubico.com/get-api-key/

Please provide your E-mail address and YubiKey OTP and click on the "Generate API Key" button. This will generate a new id parameter and API Key for your use.

We hope this helps!

I see that it mentions auth_id in the read me but it doesn't explain where that number came from. I apologize if its right in front of me I'm pretty new to all this.

You can create your own auth_id using the Yubico API Key generator which is available at the link given below:

https://api.yubico.com/get-api-key/

Please provide your E-mail address and YubiKey OTP and click on the "Generate API Key" button. This will generate a new id parameter (which is auth_id) and API Key for your use.

We hope this helps!

thanks I got it

so new questions arise from this


1) what does the auth_id do

2) if i made a program that reqired a yubikey would i need to create a individual auth_ID for each one?

Please find answers to your questions as follows:

1) what does the auth_id do

Answer:

There are two ways to secure the OTP validation communication (request and response). The first is to use HTTPS based secure communication channel to exchange the OTP Validation request and response. The other is to authenticate the request and response with (an optional) parameter h which is the HMAC SHA1 hash generated using the shared secret Key to sign the OTP validation request and response message.

Using this h parameter, a client (i.e. an application/service making the validation request to the Yubico OTP validation server) can be sure that the response is coming from the Yubico OTP validation and has not been tampered.

To generate this h parameter a shared secret Key (referred henceforth as API Key) is used. This API Key is associated with an ID (API ID/auth_id) on the Yubico OTP validation server.

If the h parameter is present in the OTP validation request, i.e. the client has signed the request using the API Key, then at the OTP validation server the id parameter is used to extract the corresponding API Key from the database and the HMAC SHA1 hash is computed on the OTP validation request. The server generated hash is compared with the h parameter present in the OTP validation request to validate the authenticity of the OTP validation request.

Therefore, if you are using the h parameter in the OTP validation request, you need to use your corresponding API ID in the OTP validation request.

The OTP validation server always sends the h parameter in the OTP validation response. This h parameter is generated by signing the OTP validation response using the shared secret Key associated with the id in the validation request. At the client side, HMAC SHA1 hash is computed on the OTP validation response using the API Key configured on the client side (the way of configuring this on the client will be client specific). The client generated h parameter is compared with the h parameter present in the OTP validation response to validate the authenticity of the OTP validation response.

2) if i made a program that reqired a yubikey would i need to create a individual auth_ID for each one?

Answer:

You should always use a same API ID for all of your YubiKeys. There is no need to generate a different API ID for each YubiKey. The API ID concept is designed to use an API ID per site / application / service and not per YubiKey.

Let’s take an example. You have developed a web application and integrated YubiKey based strong authentication in to your web application. You are using the online Yubico OTP validation server for OTP validation and you want to use the h parameter in the OTP validation request for authenticating the validation requests and responses. Your users are using YubiKey OTP for authentication along with traditional username and password.

Now all user authentication requests will be handled by your web application. Your web application will validate the username and password and will send the OTP to the online Yubico OTP validation server by forming the OTP validation requests for every OTP received from the users. Here, your web application acts as a client to the Yubico OTP validation server.

As the web application is sending the OTP to the validation server and not the user, there is no need to create separate API ID and API Key for every YubiKey you own. You should create and use only one API ID and API Key pair for all of your YubiKeys.

We hope this helps!

cool

thanks the c# example does not implement this feature I will look into it and see if i can implement it.

so basically

My api key (the long string) + the returned H value should combine in some fashion to return my auth-id code?


what about t= do i need to know anything about that?

We are assuming that you are asking about how to generate the HMAC HASH i.e h parameter at client side and compare it with the h parameter sent as a response from the OTP validation server.

The instructions for generating and comparing the h parameter is available at the following links:

http://www.yubico.com/developers/api/#generate_sig

http://www.yubico.com/developers/api/ (Protocol Specification section)

The t parameter present in OTP validation response is the timestamp in UTC at the server side when the OTP is validated. This parameter is not related with HMAC HASH generation/compare functionality.

We hope this helps!

I'm still working on this but am i to understand correctly that checking the hash is not nesscary from a security point of view if the api url is just switched to https?