Yubico Forum https://forum.yubico.com/ |
|
Validation Protocol Version 2.0 - HMAC-SHA1 signature https://forum.yubico.com/viewtopic.php?f=3&t=1318 |
Page 1 of 1 |
Author: | raj [ Wed Feb 19, 2014 9:42 am ] |
Post subject: | Validation Protocol Version 2.0 - HMAC-SHA1 signature |
I got the protocol working pretty first, so that's all good. But for increased security, we'd like to add the 'h' parameter to the url, but no matter what I try, I always get the response "BAD_SIGNATURE". As for now, I am using this site to generate the signature: https://quickhash.com/ Algorithim is SHA1 with "Use HMAC Method?" checked and output set to Base64. The HMAC key I use is the 'Secret Key' I get from https://upgrade.yubico.com/getapikey/. The id parameter in the url is also from the /getapikey site. If I input this in the quickhash input box: id=15401&nonce=askjdnkajsndjkasndkjsnad&otp=ccccccdbrldiifthrjbbjlvgkcguceiheninhbubtgil And then click generate I get this output: by7jCdAlZI1osGspmzHIGQEjnZ4= So I go to this url: http://api.yubico.com/wsapi/2.0/verify? ... HIGQEjnZ4= And get this response: h=vA0nh/B/o/NqgjbaTiwFdP7QBFU= t=2014-02-19T08:39:59Z0949 status=BAD_SIGNATURE Any and all help would be appreciated! |
Author: | Tom [ Wed Feb 19, 2014 1:28 pm ] |
Post subject: | Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature |
The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key. Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), and sorted in alphabetical order of the keys. More precisely, to generate a message signature do: 1- Alphabetically sort the set of key/value pairs by key order. 2- Construct a single line with each ordered key/value pair concatenated using '&', and each key and value contatenated with '='. Do not add any linebreaks. Do not add whitespace. For example: `a=2&b=1&c=3`. 3- Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key. 4- Base 64 encode the resulting value according to RFC 4648, for example, `t2ZMtKeValdA+H0jVpj3LIichn4=`. 5- Append the value under key 'h' to the message.[/list] |
Author: | raj [ Wed Feb 19, 2014 1:35 pm ] |
Post subject: | Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature |
While being thankful for your reply, I'm afraid that I cannot use it for anything, since I've already read the guide from where you copy/pasted the steps. I followed every step the best I could, but still nothing. |
Author: | Klas [ Tue Mar 04, 2014 10:19 am ] |
Post subject: | Re: Validation Protocol Version 2.0 - HMAC-SHA1 signature |
Hello, That site isn't doing base64 decoding of your key.. Let's do a little example.. We're using id 15618 and key Eibja2kRFXXoW6hjZaiyBtWnCBA= With the string id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge quickhash.com gives us XsQI1OJZ+R0KsAokpdAAhHQQavQ= but the correct signature is Jt19GpDOAraTYRFBHSofYZFEwjE= https://api.yubico.com/wsapi/verify/2.0 ... ofYZFEwjE= https://api.yubico.com/wsapi/verify/2.0 ... AAhHQQavQ= and finally some perl code: Code: #!/usr/bin/perl use Digest::SHA qw(hmac_sha1); use MIME::Base64; my $key = decode_base64("Eibja2kRFXXoW6hjZaiyBtWnCBA="); my $string = "id=15618&nonce=0102030405060708090a0b0c0d0e0f&otp=ccccccbteuddjivcnlfefefrccdcjrfjfvgjnfkcklge"; my $sig = encode_base64(hmac_sha1($string, $key)); $string .= "&h=$sig"; warn $string; /klas |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |