Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Mar 15, 2015 4:10 pm 
Offline

Joined: Wed Oct 29, 2014 11:37 am
Posts: 6
Hi,

If I understand it correctly, the Yubico Authenticator sends the current time to the Yubikey Neo (I have fw version 3.3.0) as a challenge response and gets back a response which is then used to generate the digits.

My question is this, when I plug my Yubikey into the Personalization Tool, and click on Tools/Challenge-Response Tester, and choose either slot 1 or slot 2, I get this error:

"Challenge response could not be performed. Perhaps they YubiKey is not configured for challenge-response?"

So, how does the Yubico Authenticator get my YubiKey to honour a challenge-response request? I'm obviously missing something in my understanding! :-)

btw, I'm successfully using the Yubico Authenticator and is working as expected.

Thank you.

-=david=-


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Mar 16, 2015 9:59 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
I am not sure I understand your question.


OATH (TOTP HOTP) they have nothing to do with the HMAC-SHA1.

The OATH applet on your NEO will be fed with time from your OS and spit out TOTP codes.

The Challenge Response works in a different way over HID not CCID. An example of CR is KeeChallenge for KeePass where the Yubikey secret is used as part of the key derivation function.
Another application using CR is the Windows logon tool

The Yubico Authenticator does not use CR in any way.


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 16, 2015 10:47 am 
Offline

Joined: Wed Oct 29, 2014 11:37 am
Posts: 6
Hi,

Thank you for your reply. I got the information directly from the website, referenced here:

https://www.yubico.com/applications/int ... ces/gmail/

and to quote:

Quote:
Therefore, to create a TOTP response using the YubiKey, Yubico has developed a small application which sends the current time to the YubiKey set-up for HMAC-SHA1 challenge/response. The application sends the current time in the OATH-TOTP format and receives back the 160 bit HMAC-SHA1 hash. This is then processed as per the OATH-TOTP spec to produce either a 6 or 8 digit number.


It alludes that CR is used (specifically HMAC-SHA1).

I've probably misunderstood the information presented, but that's how it reads.

-=david=-


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 16, 2015 11:05 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Hi,

If you are using the Yubico Authenticator you are not using that TOTP helper app, rather the OATH applet on the Yubikey NEO

You are right that the webpage is misleading we will fix it.


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 16, 2015 11:56 am 
Offline

Joined: Wed Oct 29, 2014 11:37 am
Posts: 6
Hi,

Thank you for the clarification :-)

-=david=-


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group