Yubico Forum
https://forum.yubico.com/

I'm not entirely sure that I understand how the server...
https://forum.yubico.com/viewtopic.php?f=5&t=48
Page 1 of 1

Author:  hrag [ Tue May 20, 2008 8:08 pm ]
Post subject:  I'm not entirely sure that I understand how the server...

Q: I'm not entirely sure that I understand how the server decrypts the token it receives, since it's encrypted with the device id as the key,how does it know what key to use for decryption?

A: The OTP is not encrypted with the id. It is a separate symmetrical key, unique to each device. The basic principle to verify the blob is as follows:

1. Extract the public ID prefix (sent in clear text = the first characters - 32)
2. Use this prefix to check up in the database which AES key this particular ID has
3. Decrypt the OTP part using this key (last 32 characters = 128 bits)
4. Verify that the checksum matches
5. Verify that the private ID matche
6. Verify that the counter- and timer values match

Author:  Simon [ Thu Jun 19, 2008 9:42 am ]
Post subject:  Re: I'm not entirely sure that I understand how the server...

We got a question to forum@yubico as follows:

Quote:
In point 2 you say: "Use this prefix to check up in the database which
AES key this particular ID has"
Will this lookup be in the local database or in a remote database? If
it will be local does the database need to be synchronized?


The lookup is done in the local database. The intention is that you only ever store the AES key in just one database, so there is no need to synchronize anything. If you need to validate OTPs from any other place, you should use the web service client API instead of trying to decrypt the OTP.

I hope this answers the question.

Thanks,
Simon

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/