Yubico Forum

I got 2 Yubikeys... One is my production key, and I wanted to use the other as the static password one, then I discovered that the firmware is too old, and it does not support static password. Now that Yubikey is "bricked". It is returning a string that is not valid (though it's changing after every key press), but Yubico is not accepting it.

Is there a way you can issue me a new AES key for this device, so I can fix it with the personalization tool?

Thanks!
Phil Massyn

Hi Phil,

The YubiKey can be reprogrammed from the "One Time Password" mode to the "Static Password" mode and vice-versa.
Please note that after reprogramming, all the YubiKey counters are reset to zero. The OTP generated from the YubiKey after reprogramming can not be validated against the live Yubico Validation server even though the YubiKey is again reprogrammed with the original/new YubiKey ID and the AES key stored in the Yubico Validation server database.

Feel free to write back to us in case you face any problems.

If that's the case, what's the purpose of being able to enter a YK and its parameters into the YMS?

I think the firmware is too old on this key. I wanted it to be a Static Password key, but only after I tried to change it I realized that it's not capable of static password use.

I do understand the counters are reset to zero, hence the reason I'd like to know if a new AES key can be generated at Yubico that I can enter into this broken key, to return it to original working condition.

Cheers

Phil

The current release of the Yubico Management Server does not have any mechanism to regenerate a AES key for the existing YubiKey. Yubico is planning to add this functionality in the next release of the Yubico Management server.

I managed to revive my key. With the AES key provided by Support to me a few months back, I've been able to reprogram it, and after inserting and ejecting the key quite a few times, it finally got recognized by Yubico's backend..

Happy happy!

CHeers

Phil

Something sounds weird about this post... First it can't be done and then it works after numerous retries.. Can we get an explanation as to what squence of events took place to reinstate the key. It all sounds insecure to me.

Thanks

Don't panic The Yubikey is still very much secure....

When I purchased my 2 YKs, I asked Yubico to provide me the AES keys for both of them. I had to have the AES keys to test my own Decrypter scripts. I simply used the AES key for my test key, and programmed it again.

This particular key wasn't used a lot, and since I've coded my own Yubikey Authentication server, I knew that the recurring count was the only variable to get right (ie the counter that increments every time you insert the key into the USB), that, and I had to have the AES key. The personalization tool actually blows away the counter.

The basic idea is this : If you have the AES key, you CAN spoof a Yubikey output. That's not rocket science. When purchasing a key from Yubico, they don't provide the AES key, unless you specifically ask for it, and you can prove you actually have the keys.