Yubico Forum

Hello:

I have an older (Firmware 2.1.3) Yubikey that has a static password in Slot 2 that exceeds 38 characters, and was configured with the Yubikey Configuration Utility version that was available when I first received the Yubikey. This set-up has always worked, and serves my needs well.

This week I received my Yubikey Neo (Firmware 3.0.2), and I want to have the same static password in Slot 2 as my original Yubikey. However, the Configuration Utility (Updated to Version 2.2.8) does not appear to recognize the Neo, calling for the Neo to be inserted into a USB port after "Run" is clicked, having filled the Fixed Input 32 - 64 with my Static Password. I've tried having the Neo plugged in before, and after I've started the Configuration Utility, with the same negative results.

I have also tried installing my static password using the Static Password tab in the Yubikey Personalization Tool (Version 3.1.6, Library 1.11.3) which states that static passwords cannot exceed 38 characters for firmware 2.2, and 16 characters for firmware 2.0 and 2.1, but there is no mention of firmware 3 or the Neo.

My confusion is that according to the Yubikey Configuration Utility, static passwords can encompass 32 - 64 characters using the Fixed Input field, and this clearly works using my original Yubikey. Yet the Configuration Utility does not seem to work with my Neo, and thus I'm forced to the Personalization Tool which if I'm using the correct procedure, limits static passwords to a maximum of 32 characters (assuming it recognizes version 3 despite no mention of it), which does not suit my needs, and would be an unexpected limitation of the Neo. Moving to a shorter static password is not a solution in my circumstance.

I've read the manual, and searched the web with no success. Am I doing something wrong?

Thanks,
Steve

Are you using the cross-platform tools?You should use only this tool for the NEO download it here:
http://www.yubico.com/wp-content/upload ... -3.1.6.exe

The static password limit is 64 characters, so yes you can set it to 38 on the NEO
For scan-codes the limit is 38 for firmware 2.2+

_________________
-Tom

Thanks for the reply, but it appears I may not have explained myself well as you are asking if I'm using the Yubikey Personalization Tool, and are telling me I can set my static password to 38 characters.

1) Yes, I am using version 3.1.6 of the Yubikey Personalization Tool (with the library version as noted in my original post); and

2) I'm trying to exceed 38 characters, which the Personalization Tool states is the limit, but less than 64 characters you mention, and previous versions readily accepted.

Here are the steps I have taken:

a) I have "dumped" the static password from slot 2 of my original Yubikey into a raw ASCII text file, then copied and pasted that (between 38 - 64 characters in length) ASCII string into the Password field of the Static Password tab of the Yubikey Personalization Tool.

b) I clicked on Write Configuration and received the error message, "YubiKey could not be configured. Perhaps protected with configuration protection access code?"

c) To verify the Neo is not protected, I reduced the string to less than 38 characters, then I clicked the Write Configuration, and the static password was accepted.

These steps were done under the Static Password, Scan Code tab of the Yubikey Personalization Tool, as the Advanced tab does not appear to have any field that is user fillable for a static password.

This leads me to believe that either the Personalization Tool software cannot accept static passwords 38 - 64 characters in length in the Password field, or I'm doing something wrong. All of the notations beside each relevant field speaks to a 16 or 38 character maximum length dependent of the Yubikey firmware version. Nowhere is the Neo or firmware version 3 mentioned, however.

I've tried resolving this issue on my own having read the manual and searched the web, but I'm unable to discover what I'm doing wrong.

Thanks again, and I hope I've explained my situation better this time.

Steve

You have two options:


mode
Reprogram both your Yubikeys. Generate a password, press write - insert the second Yubikey press write - done.

mode
If you want to keep the same password you have, to keep it short. You cannot write more then 38 character for the scancode password.

*Output the password from the old Yubikey.
*Copy it.
*Open the cross-platform personalization tool (latest version)
*go on the static-password tab and select scancode
*paste the password in the password field
*write the configuration in the RIGHT slot.

_________________
-Tom

Hi Tom:

Option one is not an option for me - it would create great difficulty and effort to alter the device requiring my established static password, which my old Yubikey works well with.

Option two, also doesn't work for me as stated in my original post - I do not want to "keep" my static password "short" at 38 characters or less, and as my current password exceeds that, it would basically force me back to option one. Hence I cannot copy and paste my static password as you suggest, and I've already stated doesn't work for over 38 characters.

It appears that you are only breezing over my questions, as you are asking questions or making statements which I have already qualified, which adds to my frustration. If I have not explained myself well, then I apologize.

I bought the Neo on the understanding that Yubico maintained backwards compatibility, but this clearly is not the case as you have stated I cannot keep my original password from my old Yubikey. Yet the Yubikey Configuration Utility which appears incompatible with the Neo, allows manual inputting of static passwords between 38 - 64 characters, while the new Yubikey Personalization Tool only allows up to 38 character manual inputting of static passwords.

Is this a limitation that Yubico can overcome with a revision to the Personalization Tool or making the Configuration Utility compatible with Neo? If so, and it can be done in the immediate future, I'll wait. Otherwise the Neo's limitations with backward compatibility and static passwords is a deal breaker for me, as now I have to use two Yubikeys when one should have worked.

I am just a one man show, and I would hate to be a large company using multiple Yubikeys, facing the situation where a an existing static password could not be moved across to a new Yubikey as part of an upgrade process.

Please advise, thank you.

Steve

Can anyone from Yubico answer my previous questions regarding if there are any plans to modify the software to provide full backward compatibility with full length static passwords?

Thanks,
Steve

Steve,
We are sorry but you cannot achieve what you are doing because you do not know the secret key and private id that you used on the first key.
anyway it seems that the utility is miss-leading, but is documented in the PDF. The configuration utility use the 38-64 characters as part of a function to derive the password.

"In static mode, the OTP generation algorithm is the same, but all dynamic
fields are set to fixed values"

http://www.yubico.com/wp-content/upload ... s-v2.2.pdf

_________________
-Tom

Thanks Tom for getting back to me.

I reviewed the documentation link you provided, Yubikey Configuration Utility ver. 2.2, which on page 27 states:

Fixed input
In settings where input has been created by an external tool, a complete hexadecimal string can be pasted in here. The input will be automatically adjusted into the fixed and key fields.

This is the precise scenario that I'm trying to achieve (Fixed Input 32-64), and it appears that it does not required a Secret Key or Private ID based on my read of the Fixed Input documentation you provided, and the Programming Page of the Configuration Utility itself. As stated previously in my posts, the Configuration Utility however, appears to be incompatible with the Neo. In those previous posts I've related which software version I was using, and I believe that it is most current version as it is v. 2.2.8.

I've tried using the Configuration Utility to create even a short Fixed Input password, and the Configuration Utility does not write any of the efforts after clicking the Run button on the Programming Page; The Run button stays "depressed" indefinitely, never responding "Passed" or "Failed". However, the Configuration Utility will still respond to Back etc. suggesting it has not crashed per se.

Perhaps someone at Yubico could try configuring the Neo using the Configuration Utility to create a Fixed Input static password, to see if it works. This would confirm either that I'm doing something wrong, or the Configuration Utility is not compatible with the Neo. Is there another level of Tech Support that is available to review this please?

Thank you once again,
Steve

Hello.

I'll try to answer your concerns, I might get a bit techincal, so ask away if I gloss over something. Hopefully I'll make things clearer and not more confused.

You're quite correct that the windows configuration utility does not support the NEO, however all functionality from it is possible to acchieve with the cross platform tool.
Also the YubiKey NEO is compeltely backwards compatible with the standard YubiKey for the static password feature.

The YubiKey has two modes for static password:
The first being the "standard" static password, 16-64 characters. This is achieved by running it in a "static OTP" fashion, where the counters, random and timer values are all set to static values, so the same "OTP" is generated everytime with the AES key. To achieve more than 32 characters the public id is used, so the last 32 characters of the static password comes from the encryption function and everything before that comes from the public id part.
The second mode is the so called "scan code mode", supporting 1-38 characters passwords. In this mode the raw contents of the public id, the internal id and the key is sent as USB scan codes.

So unfortunately there is no way to program a YubiKey with a known password longer than 38 characters, unless you know the AES key that was used to generate that static password to begin with.

/klas

Thank you Klas; Your explanation makes sense, disappointing, but now I get it.

Steve