Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:56 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Mar 19, 2016 6:38 pm 
Offline

Joined: Sat Mar 19, 2016 5:21 pm
Posts: 2
I have set up gpg on fedora23 to use a yubikey 4 (4.2.7).

It is working and 'gpg2 --card-edit' shows keys as ssb> entering `echo a | gpg2 -e | gpg2` for the first time after inserting the yubikey requires the pin to be entered issuing the command a second time does not. which is expected.

Trying it without the key results in `gpg: public key decryption failed: Card error` which should mean that gpg does indeed use the yubikey.

But when the key is inserted and a wrong pin is entered `gpg --card-status` still shows a retry counter of 3 0 3. issuing `gpg-connect-agent --hex "scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40" /bye` as suggested by https://developers.yubico.com/ykneo-openpgp/ResetApplet.html results in a count of 2 0 3

I used https://developers.yubico.com/PGP/Card_edit.html to require touch on all gpg actions and enabled forcesig

Unrelated to that i have a few other questions.

I saw mentions of a puk, reset code but no clear descriptions. Is there a default reset code which could circumvent my pin/admin pin or is it only activated with `gpg2 --card-edit` `passwd` `set Reset Code`.

After using gpg the yubikey led glows permanently and the invert led flag seems to have no effect am i doing something wrong or is it not possible to change?


A question i wish would be in the faq.

What are irreversible actions:
  1. Slot 1 contains an otp with cc id which can not be recovered but a new one with a vv id can be generated but there might be services which require a cc id.
  2. When the gpg pins are entered wrongly 3 times the gpg keys become inaccessible. But it is possible to reset the counter which deletes the current keys
  3. When an access code is set there is no way to reset it when it is lost (is there a counter similar to gpg or would it be possible to brute force it?)
  4. When a slot is set without updating enabled its settings can't be changed without also setting a new secret (when dormant and no update is set the slot becomes unusable until a new secret is set?)

did i miss something irreversible?


Last edited by ssendev on Tue Mar 22, 2016 11:36 am, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Mar 22, 2016 1:09 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Just a thought, but if you enter a PIN that doesn't meet the minimum requirements (must be at least 6 characters, Admin PIN must be at least 8 characters), it won't count as a failed PIN attempt.

OpenPGP on the YubiKey 4 and the YubiKey NEO has a PIN and an Admin PIN. If you lock out the PIN, you can still reset the PIN by providing the Admin PIN (12345678, by default). It's similar to PIN/PUK with PIV, if you're familiar.

The YubiKey 4 has no knowledge of "invert LED."

1) The Personalization Tool has a warning when attempting to overwrite slot 1 that it contains a Yubico OTP credential and the action cannot be undone. Salesforce is the only service that currently accepts Yubico OTP but doesn't accept "vv" credentials.
2) If the Admin PIN is locked, yes, that is correct. The OpenPGP applet follows these standards - http://g10code.com/docs/openpgp-card-2.0.pdf
3) There is no counter, so yes it's possible to brute force it. When an access code is set, this is written to the configuration log file that is automatically generated by the Personalization Tool.
4) That is correct, the flag has to be set initially when programming a credential.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 22, 2016 11:35 am 
Offline

Joined: Sat Mar 19, 2016 5:21 pm
Posts: 2
Ok that was the problem. Interesting.

The pdf you linked explained the reset code. For the future reader: It can be used instead of the admin pin to reset the pin. e.g. in cases where a company issues the keys and doesn't provide the admin pin to the user. By default the reset code has a count of 0 so can't be used. It's the middle counter hence it's 3 0 3.

What a pity. I would have liked to disable the led (that includes the flash every 8 seconds) except for the flashing when a touch is required. Like it is now it draws a lot of attention to the YubiKey Nano. Maybe it's possible with a future YubiKey. Oh and while I am dreaming it would be nice if different actions like sign, decrypt, authenticate, u2f could use different led colors / flash patterns.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group