Yubico Forum

I am trying to develop a challenge/response cross-platform authentication app using python. I am hoping to support Linux, OSX, and recent Windows versions from the same codebase. I've installed Python 2.7 (32-bit), python-yubico, pyusb (32-bit), and libusb-win32 on Windows 7. Following the libusb-win32 directions, I created an .inf file and installed the Yubikey as a libusb-win32 device. It appears in the Device Manager when the key is installed. I am able to get a test application (the inventory example in yubico-python) to execute. If no Yubikey is installed, it completes without error and say "No YubiKey found." But, if a key is installed, I get an error message indicating that usb_detach_kernel_driver_np is not found. Libusb documentation indicates that the "_np" represents that the function call is non-portable and this function is only implemented in Linux. Indeed, the call seems to be made on line 378 of yubikey_usb_hid.py in the python-yubico source tree.

So, have I done something wrong? Do I need another libusb? Have I missed a compatibility library? Has anyone succeeding in running the python-yubico applications under Windows? Google and forum searches have netted nothing helpful. I am reluctant to pick up the Windows COM library and start afresh simply because there is a lot of GUI development that I don't want to write multiple times. Any help here is appreciated.

Hi! I have opened a issue about the usb_detach_kernel_driver_np problem you noticed, see:

https://github.com/Yubico/python-yubico/issues/3

However generally the supported and recommended way to work with Yubikey challenge/response is through the ykpers library:

https://github.com/Yubico/yubikey-personalization

That project has been verified to work well under Windows, we have binaries for Windows here:

http://code.google.com/p/yubikey-person ... loads/list

I believe there is a short list of applications actually using it on Windows already.

However there are no python bindings for it -- we'd welcome that.

If someone would like to pick up and improve the python-yubico project, that would be nice too. Removing the usb kernel detach thing should probably just be a one-line to only do it for GNU-like systems.

/Simon

OK, so I have resigned myself to use the win32 version of ykchalresp.exe (from ykpers-1.11.3-win32) to generate the hmac-sha1 from the yubikey. I have been plagued by a problem of inconsistency in the output of ykchalresp.exe vs HMAC in python and HashCalc for 64-byte challenges. Python (import Crypto) and HashCalc both give the same result for 64-byte challenges. The ykchalresp.exe seems to ignore the 64th byte of the challenge. All numbers below are hex.

Slot-1 has the following secretHMAC programmed:


64-byte challenge is:


Python HMAC and HashCalc both give a response of:


Here is the command line and result from ykchalresp.exe:


I verified that it is not a quoting issue:


Here is the command line and result from ykchalresp.exe with the last byte removed:


So, the response from the 64-byte challenge and 63-byte challenge are exactly the same.

Removing the 63rd byte does yield a different result:



Perhaps I am doing something wrong. My read of the HMAC-SHA1 spec says that a 64-byte challenge should be accepted. I can easily work around this by just using a shorter challenge, but I am curious if this is a hardware problem, some issue with ykchalresp.c, or something buried in the driver code. I looked briefly at the ykchalresp.c code, but nothing jumped out at me.

Any guidance here is appreciated.

Hello,

With the 2.2 YubiKey there's a bug that makes you want to turn on the config flag HMAC_LT64 (the personalization gui does this for you), which caps the challenge at 63 bytes as you discovered.

/klas

Thanks for the prompt reply.