Yubico Forum
https://forum.yubico.com/

[SOLVED] OpenPGP app no longer accepts PIN after unblock
https://forum.yubico.com/viewtopic.php?f=26&t=1074		 Page 1 of 1
Author:  hiviah [ Tue May 28, 2013 2:33 pm ]
Post subject:  [SOLVED] OpenPGP app no longer accepts PIN after unblock
Hi,

the OpenPGP applet on Yubikey Neo no longer accepts the user PIN and the PIN try counter won't decrease from 3 even if I enter wrong PIN. It happened after unblocking the PIN once via "gpg --change-pin", any operation requiring user PIN like signing no longer works.

From "gpg --card-status" (gnupg 2.0.19 on Scientific Linux 6.4) :

Code:
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: NFCTest Yubikey
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 6
Signature key ....: EBE7 BBA6 0F98 FEC5 38A7  9AE5 D24B 3700 FE6A 4090
      created ....: 2013-05-23 09:07:45
Encryption key....: 912C A861 FCBC CC33 4A3C  84F4 9F28 C5C9 C031 CCB5
      created ....: 2013-05-23 09:07:45
Authentication key: 5874 40A4 D735 F0D4 FD88  492C 2A16 94A5 3DC1 DDD4
      created ....: 2013-05-23 09:07:45
General key info..: pub  2048R/FE6A4090 2013-05-23 Neokey <yubi@nowhere.cz>
sec>  2048R/FE6A4090  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001
ssb>  2048R/3DC1DDD4  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001
ssb>  2048R/C031CCB5  created: 2013-05-23  expires: 2015-05-23
                      card-no: 0000 00000001


Strangely enough, admin PIN still works (also admin PIN try counter works), e.g. I can change name using admin commands. However user PIN still doesn't work even if changed/unblocked via 'gpg --change-pin', see below.

The result is the same whether using NFC or connecting via USB CCID. Sniffing and checking out some authenthication APDUs, I pasted them from pcscd log:

Authentication with user PIN (PW1) always fails:
Code:
APDU: 00 A4 04 00 06 D2 76 00 01 24 01  #select OpenPGP app - ok
SW: 90 00

APDU: 00 20 00 81 06 31 32 33 34 35 36 # user PIN fail, now always says there's 3 tries left, even if wrong PIN is supplied
SW: 63 C3


But admin PIN seems OK, it looks it will even let us change user PIN:
Code:
APDU: 00 A4 04 00 06 D2 76 00 01 24 01  #select OpenPGP app - ok
SW: 90 00

APDU: 00 20 00 83 08 31 32 33 34 35 36 37 38  #authenthicate with admin PIN 12345678 - ok
SW: 90 00

APDU: 00 2C 02 81 06 31 32 33 34 35 36 # change/reset PIN (PW1) to 123456 - seems ok
SW: 90 00


But even after "changing PIN" the auth with the user PIN still fails in the same way - returns SW 63 C3.
Author:  Klas [ Mon Jun 03, 2013 12:52 pm ]
Post subject:  Re: [QUESTION] OpenPGP app no longer accepts PIN after unblo
Hello,

Yes, there was a bug in unblock with admin pin in the openpgp applet (https://github.com/Yubico/ykneo-openpgp ... 473319de12). It is fixed in the source repo and new Neos sent out have the fix.

If you are interested in reloading the openpgp applet yourself there are instructions for building and loading it at https://github.com/Yubico/ykneo-openpgp (alternatively you can download it pre-built from http://static.yubico.com/var/uploads/fi ... gpcard.cap sha1sum: 06290c8f52ea4711157d26400aaf3670816bd147). Please note that reloading the applet will clear it of all generated keys.

/klas
Author:  hiviah [ Tue Jun 04, 2013 3:05 pm ]
Post subject:  Re: [QUESTION] OpenPGP app no longer accepts PIN after unblo
Thanks, that worked.

I used gpshell to upload new version of openpgpcard.cap (via RFID reader). The unblocking now works as expected.
Author:  kylef [ Fri Aug 02, 2013 9:09 pm ]
Post subject:  Re: [SOLVED] OpenPGP app no longer accepts PIN after unblock
klas-
every time i download i get a different sha1sum
8a2e02bf21b05751216ddb6380833329a75500f2 openpgpcard.cap

can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.
Author:  hiviah [ Sun Aug 04, 2013 9:45 pm ]
Post subject:  Re: [SOLVED] OpenPGP app no longer accepts PIN after unblock
kylef wrote:
every time i download i get a different sha1sum
8a2e02bf21b05751216ddb6380833329a75500f2 openpgpcard.cap

can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.


Yes, they have uploaded a new version as of July 4th, I get identical SHA1 hash. I couldn't test it yet, but using gpshell to upload new app version should only affect the OpenPGPcard application and nothing else (thus nearly zero chance of bricking the Yubikey Neo token). Nevertheless, it would be a good idea for Yubico to use SSL/TLS for downloads as well as forums. We are playing security game here, right? :-)
Author:  hiviah [ Mon Aug 05, 2013 10:17 am ]
Post subject:  Re: [SOLVED] OpenPGP app no longer accepts PIN after unblock
kylef wrote:
can you confirm you've changed the file since posting your sha1sum? i don't want to brick my neo.


I've just tried to upload the new version having SHA1 hash 8a2e02bf21b05751216ddb6380833329a75500f2 and I can confirm it works.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/