| Yubico Forum https://forum.yubico.com/ |
|
| Firmware v1.3.0 question from user https://forum.yubico.com/viewtopic.php?f=16&t=110 |
Page 1 of 1 |
| Author: | Simon [ Wed Jun 18, 2008 4:30 pm ] |
| Post subject: | Firmware v1.3.0 question from user |
We received this question in e-mail: Quote: With firmware version 1.3.0 will you be supporting both the one time password and the locally authenticated login. I see a device where for sites that you control or support the Yubikey only the OTP is used and for other sites a 32-character string is used. Is it necessary for the authentication server to support the static password as it can only work for sites that support Yubikey? The answer is that with firmware 1.3.0 each particular yubikey can be programmed to work in either static OTP mode, or in "normal" OTP mode. The yubikey doesn't know which site you visit, and in particular whether it supports real OTPs or not, so you can't use the same yubikey for both static OTPs and for normal OTPs. You can however use two different yubikeys, one that is static and works against all pre-yubikey-ified sites, and one dynamic that works against sites that call out to a server. If an authentication server knows the AES key in your yubikey, it will be able to decrypt even static OTPs. However, the plaintext fields will be fixed (0xFF) so a normal server would reply REPLAYED_OTP after the first use. Servers could detect that the OTP is a static one and return a special error code, but we haven't seen a need for this yet. I hope this answers the question. /Simon |
|
| Author: | julian46 [ Wed Jul 09, 2008 11:29 pm ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
can the mode be switched after it is initally programmed? (from OTP to random and back) |
|
| Author: | olebakk [ Thu Jul 10, 2008 11:22 pm ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
I am also wondering about this. Static OTP could be very useful in quite a few cases. |
|
| Author: | paul [ Sat Jul 12, 2008 3:19 am ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
Please see here: viewtopic.php?f=2&t=133&p=430#p430 Cheers |
|
| Author: | gherndon [ Tue Jul 15, 2008 8:58 pm ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
hi, i've been reading a bit about converting a 1.3 version key to STATIC passwd but my key is a version 1.1 key. can i download a utility to upgrade my key? thanks in advance, george |
|
| Author: | gherndon [ Thu Jul 17, 2008 5:20 pm ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
okay, i bought another key, a 1.3 firmware unit, and now have personalized it and changed the ykFlagProperty->ykFLAG_STATIC_TICKET per the instructions here: viewtopic.php?f=2&t=133&p=430#p430 i notice 2 changes in behavior for the yubikey. 1) the generated passwd is 32 chars instead of the original 44 and 2) the new static passwd doesn't have a CR appended to it (at least in my testing using notepad and textedit on my mac). is this correct behavior? thanks in advance, george |
|
| Author: | Jakob [ Sat Jul 19, 2008 6:42 am ] |
| Post subject: | Re: Firmware v1.3.0 question from user |
A series of relevant questions - we should have provided more primers on how to configure Yubikeys using our Windows configuration API. I'll return in this matter in a separate thread later on, but just a few initial points: Pro primo - Remember that using the configuration API destroys the pre-configured static ID and the AES key. After a programming operation, the key won't work against our authentication server any more. Pro secundo - remember that the code provided with the configuration component is sample code only. The plan was to make the code as clean as possible in order to describe the concept rather than messing it down with lots of logic. We'll provide a more polished "production like" app soon. Pro tertio - Don't be concerned that people will be able to sabotage Yubikeys using the configuration component. Keys used in a production environment are usually provided with the configuration lock set. Pro quarto - Don't forget the YubiKey Integrators' Guide PDF provided together with the component describing the overall programming model. Now, let's go over to the question itself The configuration component works by the means of properties, which all are blank or false or by default. The default state can be restored with the ykClear method. Calling ykProgram without setting any of the parameter "kills" the Yubikey and puts it into unconfigured state. This is indicated by the Yubikey LED flashing shortly every three seconds. Programming a valid configuration restores the LED to steady green. The OTP part is 128 bits = 16 bytes = 32 modhex characters and that one is always sent. This means that if no static ID is set, only 32 characters will be sent. Our evaulation keys are programmed with a 6 byte static ID = 12 modhex characters. Together with the OTP, this equals 32 + 12 = 44 characters. The evaulation keys further have the ykFLAG_APPEND_CR flag set, which means that a trailing CR will be sent. In order to configure a static OTP key with output in line with the evaulation keys, the following steps should be performed ykClear ykStaticID = "010203040506" ykFlagProperty(ykFLAG_APPEND_CR) = True ykFlagProperty(ykFLAG_STATIC_TICKET) = True ykProgram The Yubikey shall now yield a 44 character static OTP which is cbcdcecfcgchncejelrjvjvvciclerknrlihnteljrcb Hope this sorts out the open questions Regards, JakobE Hardware- and firmware guy @ Yubico |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|