Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:24 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Mon Aug 03, 2009 7:24 pm 
Offline

Joined: Mon Aug 03, 2009 7:16 pm
Posts: 4
Hello!

I have got two v2 keys, started to program one of them. I added a second profile - static password, and it works.

Then I overwrote 1st config with something I thought was very clever at that moment, and now I cannot get this key to work with anything - I tried Yubico demo OpenID server, Yubico forums, Clavid's server. I tried many combinations of public/private IDs, fixed/increment/random, different sizes - but I cannot get my key to be recognized. It does not return cccccc... now.

Thankfully, I kept my second key unchanged, and using it I was able to join this forum.

Please help me to reconfigure my key back to normal. What are the standard parameters?

Confused, lost,
Alex.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Aug 04, 2009 7:50 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Please note that, by re-initializing your YubiKey (either by manually programming a new AES key in the YubiKey or programming the YubiKey for static PW), you will lose ALL abilities to use that particular YubiKey against Yubico online severs - validation server, YubiKey management service, Yubico forum, demo server, OpenID server and so on. You are advised to consider using separate YubiKeys for use in Static Password Mode or for development and testing purposes.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 04, 2009 1:57 pm 
Offline

Joined: Mon Aug 03, 2009 7:16 pm
Posts: 4
Does it mean I killed one of my keys? Can I reprogram it back to Yubico AES key? Isn't Yubico AES key built in the config utility?

How do I use your config utility to add config1 protection against reprogramming, let say, and not destroy that key's compatibility with Yubico servers? I don't see how.

Is it safe to add a second config (static PW) for my working key? Will config1 still work with Yubico servers?

Thanks,
Alex.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 04, 2009 5:38 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
alex2yub wrote:
Does it mean I killed one of my keys?

No, in as far as I can tell from what you posted here, your key is allright.

alex2yub wrote:
Can I reprogram it back to Yubico AES key?

Yes you can, but either you need to create your own key and upload it to the Yubico server - see http://yubico.com/developers/aeskeys/ - or you need to retrieve the original AES key from Yubico. The latter may prove to be a bit difficult, as Yubico used to require 2 Yubikey generated OTP's + some proof of purchase of the key. There seems to be a better way now, please read viewtopic.php?f=5&t=108&p=503#p503

On my keys they fixed a little label, that contains a barcode and a number. They uniquely identify your key, so Yubico probably will be able to retrieve your secret. However, you need to prove your identity to them (CAcert?) perhaps you still have a proof of purchase, perhaps Yubico maintains records of which keys they shipped to whom. It all depends on their willingness to compromise security :shock:

alex2yub wrote:
Isn't Yubico AES key built in the config utility?

No, it is not. The AES key is available to the party that programmed the key; for a default key that would be Yubico. If you program your own key, you are the only party that has the key.

alex2yub wrote:
How do I use your config utility to add config1 protection against reprogramming, let say, and not destroy that key's compatibility with Yubico servers? I don't see how.

I hadn' thought of it but yes, that's an interesting question: can you add password protection to a key WITHOUT reprogramming it? I dont' know, but perhaps one of the Yubico people can answer this?

alex2yub wrote:
Is it safe to add a second config (static PW) for my working key? Will config1 still work with Yubico servers?

Same anwer as to the last question.. :mrgreen:


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 04, 2009 7:08 pm 
Offline

Joined: Mon Aug 03, 2009 7:16 pm
Posts: 4
Thanks, fortean! Looks like I've got a rocky start with Yubikeys... ;-)

fortean wrote:
alex2yub wrote:
Does it mean I killed one of my keys?

No, in as far as I can tell from what you posted here, your key is allright.

alex2yub wrote:
Can I reprogram it back to Yubico AES key?

Yes you can, but either you need to create your own key and upload it to the Yubico server - see http://yubico.com/developers/aeskeys/ - or you need to retrieve the original AES key from Yubico.


Isn't it the same result in the end - my key will work with Yubico servers? If yes, I'd better upload my new key myself, the web page seems simple.

EDIT: Hm... Got "OTP prefix mismatch" error on that page... Not sure what to do now.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 05, 2009 2:50 pm 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
alex2yub wrote:
Hm... Got "OTP prefix mismatch" error on that page... Not sure what to do now.


If you reprogram your key and want to register it with Yubico, you'll need to make sure the public identifier of your key starts with 0xFF. You can check if you did allright by pressing your reprogrammed Yubikey and check the FIRST 2 characters, they should be 'vv'.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 05, 2009 4:59 pm 
Offline

Joined: Mon Aug 03, 2009 7:16 pm
Posts: 4
fortean wrote:
alex2yub wrote:
Hm... Got "OTP prefix mismatch" error on that page... Not sure what to do now.


If you reprogram your key and want to register it with Yubico, you'll need to make sure the public identifier of your key starts with 0xFF. You can check if you did allright by pressing your reprogrammed Yubikey and check the FIRST 2 characters, they should be 'vv'.


THANKS! Got it all working again.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 10, 2009 6:31 pm 
Offline

Joined: Mon Aug 10, 2009 4:23 pm
Posts: 1
I've got everything worked about except I'm getting two errors. Identity must be 12 characters long (Internal Identity), where do I find this Identity or where do I set it in the personalization software. Also getting Identity in OTP does not match (OTP from the YubiKey), assuming this is because of the Internal Identity issue. Thanks for the help.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 11, 2009 11:40 am 
Offline

Joined: Fri Jun 19, 2009 6:06 pm
Posts: 31
mrwags5 wrote:
I've got everything worked about except I'm getting two errors. Identity must be 12 characters long (Internal Identity), where do I find this Identity or where do I set it in the personalization software. Also getting Identity in OTP does not match (OTP from the YubiKey), assuming this is because of the Internal Identity issue. Thanks for the help.


If you want to find out the secret identity of a Yubico default key, you'll need its AES secret. You remove the public identifier from the OTP (first 12 characters, which represent your 6 bytes public ID) and decode the remaining 32 characters (de-modhex them and run the resulting bytes through some AES-128 decoder). The first 6 bytes of the decoded string will be the secret ID.

If you have programmed your key yourself, you already know the secret ID :mrgreen:

I am not capable enough to work with MS Windows, alas, so I'll manage with Linux. It has the ykpersonalize tool and you can use the
-ouid=..... option to program your secret id.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 11, 2009 12:30 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
You can use the YubiKey Configuration Utility 2.00.1 to program the Internal Identity for the YubiKey. The "private identity" in the Configuration Utility is the Internal Identity for the YubiKey. The YubiKey Configuration Utility 2.00.1 and user guide can be downloaded from the following link:

http://www.yubico.com/developers/personalization/

We hope this helps!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: YahooSeeker [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group