Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:25 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Tue Jul 22, 2008 4:52 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
Seems I found a bug regarding static OTPs.

In playing around with my key, hnirvlrevnegugnucgdvbirglvfgcbnfivrgunvckggt, by setting the configuration to the default for Static OTP, ykStaticID/ykUID/ykKey to the values I know match the OTP just posted, along with ykFLAG_STATIC_TICKET = true, It seems that this flag is outright ignored if you also set ykFLAG_TICKET_FIRST = true.

Here are the next 3 keys showing this behaviour. (Use the AES key that decodes the above key posted to decode these, all which are TICKET_FIRST).

uerhtvtiffrkengdjncghirlejdjnujkhnirvlrevneg
dtkujnhfgeihffdfigcijicddjftilenhnirvlrevneg
vevugdfgvuevrnulnkhvliungijeigechnirvlrevneg
durebtiubdgektnndlrrufdvktrlvhglhnirvlrevneg
crdggekkuvbeuuknfdukhcgkhfglbtuehnirvlrevneg

dufeijvnchgcftekffnkjrcnbuffukvuhnirvlrevneg
ldnfnjielvvkurkngieljjkhtclrllcnhnirvlrevneg
judgnhubkudejuhrfdlgieiiveukubrkhnirvlrevneg

Now, if I go and reprogram the key again, with ykFLAG_TICKET_FIRST = false, it goes back to generating Static OTPs once again.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jul 23, 2008 5:56 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
I checked to see if other flags gave similar issues. ykFLAG_TICKET_FIRST is the only flag to give this issue.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 24, 2008 8:46 pm 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
Confirmed...

We'll create a 1.3.1 to fix that issue. I owe you a set of free ones as thanks for finding it.

Given that the output is static, I beleive no one will have any practical problems with this one. Whatever, we'll fix it.

Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 30, 2008 7:47 pm 
Offline

Joined: Fri Jul 11, 2008 8:30 pm
Posts: 8
Code:
I'm not sure if this is the same underlying issue.

The issue I have is that dynamic OTP's become static once the ykFLAG_TICKET_FIRST is set to true.
   
      YubiKeyConfig yub = null;
      IYubiKeyConfig tok = null;
      Listen listener = null;
      try {
         yub = new YubiKeyConfig();
         tok = yub.getIYubiKeyConfig();
         tok.ykClear();
         System.out.println("tok.getYkIsConfigured():" + tok.getYkIsConfigured());
         System.out.println("tok.getYkIsInserted():" + tok.getYkIsInserted());
         final String key = "dbc2be2addce5d234b6db67e97524915";
         final String user1 = "ffeffabcd034";
         final String user2 = "ffeffabcd035";      
         final String user = user2;      
         tok.setYkStaticID(user);
         tok.setYkUID(user);
         tok.setYkKey(key);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_APPEND_CR, 1);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_ALLOW_HIDTRIG, 1);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_SEND_REF , 1);
         //tok.setYkFlagProperty(ykFLAG.ykFLAG_STATIC_TICKET, 0);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_TICKET_FIRST, 1);  // comment out for dynamic otp's
         ykRETCODE ret = tok.getYkProgram();
         System.out.println("tok.getYkProgram():" + RetCode.toString(ret) );
      } catch (Exception e) {
         e.printStackTrace();
      }

Setting ykFLAG_TICKET_FIRST to false corrects the problem.
   
sample output:

   cbdefghijklnrtuvvvuvvlnrtcegnflnknuflgbgvnjgutclbblhujirubcu
   cbdefghijklnrtuvvvuvvlnrtceggtcflvltnrkcjnivfeklhuigfvkfifel
   cbdefghijklnrtuvvvuvvlnrtcegnnvhbkjlvenrdrdlrnjdrrikruvdfnkg
   cbdefghijklnrtuvvvuvvlnrtcegjurldgdkujutkutijujdeedelnfhjlhu

   cbdefghijklnrtuvhddnkbibcrcucbevtjkekciduckgnlkhvvuvvlnrtceg
   cbdefghijklnrtuvhddnkbibcrcucbevtjkekciduckgnlkhvvuvvlnrtceg
   cbdefghijklnrtuvhddnkbibcrcucbevtjkekciduckgnlkhvvuvvlnrtceg
   cbdefghijklnrtuvhddnkbibcrcucbevtjkekciduckgnlkhvvuvvlnrtceg


Is it just me?

------------------------------------


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 31, 2008 12:23 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
Indeed, confirmed the bug. It seems that ykFLAG_TICKET_FIRST xor's ykFLAG_STATIC_TICKET with binary 1, somewhere in the code. Because of this, if you want a Yubikey 1.3 with a static ticket and as well as ticket first, you set ykFLAG_STATIC_TICKET = FALSE and ykFLAG_TICKET_FIRST = TRUE, and if you want ticket first with dynamic ticket, you do ykFLAG_STATIC_TICKET = TRUE and ykFLAG_TICKET_FIRST = FALSE. This is a weird bug indeed, for being a bit counter intuitive for what you want.

ykFLAG_STATIC_TICKET = FALSE, ykFLAG_TICKET_FIRST = true.
ugnucgdvbirglvfgcbnfivrgunvckggthnirvlrevneg
ugnucgdvbirglvfgcbnfivrgunvckggthnirvlrevneg
ugnucgdvbirglvfgcbnfivrgunvckggthnirvlrevneg

ykFLAG_STATIC_TICKET = TRUE, ykFLAG_TICKET_FIRST = false.
vnllvkgejuddrierinbffjdnuhhjlehihnirvlrevneg
tegtfvbvkdfnrkngjfefdvvvrggffllnhnirvlrevneg
benelvivndvjvlglkvulvnfjcibvddnuhnirvlrevneg

ykFLAG_STATIC_TICKET = FALSE, ykFLAG_TICKET_FIRST = FALSE.
hnirvlrevnegjbghjlcuevhennfkucbubgfvbdkehuju
hnirvlrevnegkfigfdtcuhrgkufhhuhjljdftbkjgrfh
hnirvlrevneggcfinlehccfuvkekdhdbgkcbgcfllrlh

ykFLAG_STATIC_TICKET = TRUE, ykFLAG_TICKET_FIRST = FALSE.
hnirvlrevnegugnucgdvbirglvfgcbnfivrgunvckggt
hnirvlrevnegugnucgdvbirglvfgcbnfivrgunvckggt
hnirvlrevnegugnucgdvbirglvfgcbnfivrgunvckggt


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 01, 2008 8:57 pm 
Offline

Joined: Fri Jul 11, 2008 8:30 pm
Posts: 8
----------
so this should work?

Code:
      YubiKeyConfig yub = null;
      IYubiKeyConfig tok = null;
      try {
         yub = new YubiKeyConfig();
         tok = yub.getIYubiKeyConfig();
         tok.ykClear();
         System.out.println("tok.getYkIsConfigured():" + tok.getYkIsConfigured());
         System.out.println("tok.getYkIsInserted():" + tok.getYkIsInserted());
         final String key = "dbc2be2addce5d234b6db67e97524915";
         final String user = "ffeffabcd035";
         tok.setYkStaticID(user);
         tok.setYkUID(user);
         tok.setYkKey(key);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_APPEND_CR, 1);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_ALLOW_HIDTRIG, 1);
         tok.setYkFlagProperty(ykFLAG.ykFLAG_SEND_REF , 1);
         //
         // -- this flag sequence for v1.3 ?
                tok.setYkFlagProperty(ykFLAG.ykFLAG_STATIC_TICKET, 0);
                tok.setYkFlagProperty(ykFLAG.ykFLAG_TICKET_FIRST, 1);
                tok.setYkFlagProperty(ykFLAG.ykFLAG_STATIC_TICKET, 1);
                tok.setYkFlagProperty(ykFLAG.ykFLAG_TICKET_FIRST, 0);
         //
         //
         ykRETCODE ret = tok.getYkProgram();
         System.out.println("tok.getYkProgram():" + RetCode.toString(ret) );
      } catch (Exception e) {
         e.printStackTrace();
      }


Is there a flag sequence that should work for all hardware versions (no code changes ) ?
----------


Top
 Profile  
Reply with quote  
PostPosted: Sat Aug 02, 2008 10:24 pm 
Offline

Joined: Fri Jul 11, 2008 8:30 pm
Posts: 8
or this?

Code:

                tok.setYkFlagProperty(ykFLAG.ykFLAG_STATIC_TICKET, 0);
                tok.setYkFlagProperty(ykFLAG.ykFLAG_TICKET_FIRST, 1);
         ykRETCODE ret = tok.getYkProgram();
                tok.setYkFlagProperty(ykFLAG.ykFLAG_STATIC_TICKET, 1);
                tok.setYkFlagProperty(ykFLAG.ykFLAG_TICKET_FIRST, 0);
         ykRETCODE ret = tok.getYkProgram();


Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 10, 2008 12:03 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
This issue has been fixed and the maintenance release 1.3.1 will be implemented effective from the next production batch.

Only this bug is fixed in 1.3.1. AFAIK, there are no other open firmware issues at this point in time.

If there is anyone having an issue with this bug, please let me know and I'll ensure that a replacement is sent f.o.c. We deemed this bug "non critical" so we won't provide this unless there is a real issue.

Thanks all for reporting this issue. Everyone involved can send me an e-mail to jakob at yubico dot com and I'll send you some complementary 1.3.1 keys as a sign of my gratitude. Keeping the firmware healthy is a top prio for us and even minor issues like this ones shall (and will) be fixed.

Regards,

JakobE
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 12, 2008 4:34 am 
Offline

Joined: Mon Jun 09, 2008 6:12 pm
Posts: 19
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

There, fired off my email. (from d_good at caitsith2 dot com).

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSKEE1CSkpD9cy+H+AQjgdAf9EaBi/kvvwjWlKrP0Ew4iZXsjs33qJUCe
2wtuDeGmeiBegEHKQ8F2owf/yHI6air+yLIWmXel3Hgg3UwiUFZRlU3QzCTEnmu3
kSjkDIBPTrNtVL6NpY0QaRRYwz+JOAtHs4T04qhtxc90T20R8uTwzsibFJWGPW75
OyFdQZBAuxtIucJ/DngO7I8h4LIALpAKpedjkqtLvBIk7xAA+asEj/6CPCOCBbAk
V7Rn/HphLbFKTu+iMH7R7ZnL/FxjcqFa2GuYTOBiOdtu7r7ERwi90O7w8n2Q4jsU
I1iRH70YchfLOr3dbUNNGTzMw2+fu5xUNnfnLXOZyWzqzx7tKdp9+g==
=SoTu
-----END PGP SIGNATURE-----


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group