------------------------------------------------------------------------------- Yubikey A hardware USB stick that acts like a single button keyboard. When pressed it outputs a One Time Password or Static Password (two can be programed for short or long key presses) You cannot upgrade the firmware on the keys at all, by design. The only thing you can do is push various configuration settings to it, and then only if there's no password set on the configuration. The output is encrypted using an internal AES key, that key can only be set, never read, which is the Yubikey major security design feature. Main forum for questions and answers http://forum.yubico.com/viewtopic.php Alternative yubikey generators Yubidrone -- app to generate yubukey sequences on android mobiles. http://forum.yubico.com/viewtopic.php?f=4&t=405 ------------------------------------------------------------------------------- Software... for yubikey testing svn checkout http://yubico-c.googlecode.com/svn/trunk/ yubico-c cd yubico-c autoreconf --install ./configure make check install # installs into /usr/local svn checkout http://yubikey-personalization.googlecode.com/svn/trunk/ \ yubikey-personalization cd yubikey-personalization autoreconf --install ln -s /lib/libusb-1.0.so.0 /lib/libusb-1.0.so # stupid configure! ./configure make check OR dnf install ykpers yubikey validation server.... yum install yubikey-ksm.noarch yubikey-val.noarch The last use perl/php scripts with dependancies on the mcrypt libraries to do the crypto aspects. They provide good code examples of validating yubikey output. Some type of database for key validation is important, as it not only provided the AES key needed to check the key but also to store usage and session counters, to prevent replay attacks. Ideally only one such validation server should be used for a particular yubikey. ------------------------------------------------------------------------------- ModHex (Output by Yubikey's) Reason... Keyboards do not know its keymaps! It only sends scancodes, not keys! However all keyboards map certain keys to certain scancodes and these are what yubikeys use. Basically it usually transmits only certain keys. So it uses a simple substitution cypher for the yubikey output Hexadecimal: 0123 4567 89ab cdef ModHex Code: cbde fghi jkln rtuv Further 'c' is most ambigious in keyboards, so any other key should map to '0' when reading a yubikey As such bde fghi jkln rtuv -maps-> 0x1 - 0xf And all other characters (including 'c') maps to 0x0 If you want a 12 character modhex english word for your public 'fixed string', you can use this... egrep '^[cbdefghijklnrtuv]{12}$' /usr/share/dict/words For example: freethinking fiddledeedee belligerence jitterbugged lightningbug truthtelling unvirginlike enlightening uninferrible unfriendlike tightfitting nightclubber I rather like: intelligence OR get two words to concatanate into a word (no spaces)... cute beginner inbred knight NOTE the public fixed string, does not have to match the internel UID which is simply a binary encoding. The program "modhex" can be used to convert to and from modhex to hex, or ascii. Does not however allow raw binary input! ------------------------------------------------------------------------------- yubikey hardware Information ykinfo -a # ALL the information ykinfo -s # get the keys serial number ykinfo -1 # is slot 1 programmed ykinfo -2 # is slot 2 programmed ------------------------------------------------------------------------------- yubikey OTP programing and reading This has a public and private UID, timestamp and is encrypted with a Secret AES key. By default this stored on the "yubicloud validation service" https://www.yubico.com/products/services-software/yubicloud/ The public UID must start with 'vv' The private UID does not need to match the public UID. Upload a AES key and all relevent info: https://upload.yubico.com/ Then Testing on https://demo.yubico.com/otp/verify ---- Yubikey OTP is 16 bytes which equals 32 modhex characters This is generally proceeded by a 6 byte unencrypted public identity. So the complete OTP is 12 + 32 => 44 modhex charcaters. Only the last 32 characters are decoded by the AES key. Example generate a random password echo -n '{some junk string}' | md5sum 1b7c9370433d06a9bdec2500c1a0dffc Now program the second (long key press) slot of a 'yubikey standard key' ykpersonalize -2 -a1b7c9370433d06a9bdec2500c1a0dffc \ -ouid=h:112233445566 -v -osend-ref -ooath-fixed-modhex -o-static-ticket \ -o-strong-pw1 -o-strong-pw2 -o-man-update Note that some fields expect hexidecimal, others modhex encoding. However you can specify the encoding by prefixing with h: or m: resp. The AES key (-a) is always in hexadecimal The option -o-... means turn off that flag the above settings ensures that a OTH sequence is actually being set. Output (long keypress) bbddeeffgghhehcvhebnurgnibjlbvhurchinbgvjhlh bbddeeffgghhkugfgdeiijlruketrthkejfvjvijcild '----v-----''-------------v----------------' Public UID OTH Response Using the last key from the above... To get the UID extract characters 12 characters, convert those to hex and then to decimal, This is used for modhex -d bbddeeffgghh | perl -0777 -e 'print unpack("H*",<>), "\n"' | perl -le 'print hex(<>)' # Hex is 112233445566 # Decimal is 18838586676582 The factory will typically have 6 'c' or 0 modhex at the start... A publicly defined key, can only be added to the central yubi authentication the first chars must be 'vv' or hex 'FF' Decrypt the rest (using AES Decode) bbddeeffgghhkugfgdeiijlruketrthkejfvjvijcild '----------''------------------------------' # You can use the full respose not just the OTH Response in "ykparse" ykparse 1b7c9370433d06a9bdec2500c1a0dffc kugfgdeiijlruketrthkejfvjvijcild '--------- Secret Key-- -------' '-------- OTH Response --------' Input: token: kugfgdeiijlruketrthkejfvjvijcild 9e 54 52 37 78 ac e9 3d cd 69 38 4f 8f 78 07 a2 aeskey: 1b7c9370433d06a9bdec2500c1a0dffc 1b 7c 93 70 43 3d 06 a9 bd ec 25 00 c1 a0 df fc Output: 11 22 33 44 55 66 01 00 43 57 67 02 9b b9 c3 5b Data from DecryptedOutput... uid: 11 22 33 44 55 66 <-- confirms the Public UID counter: 1 (0x0001) timestamp (low): 22339 (0x5743) timestamp (high): 103 (0x67) session use: 2 (0x02) random: 47515 (0xb99b) crc: 23491 (0x5bc3) Derived: cleaned counter: 1 (0x0001) modhex uid: bbddeeffgghh triggered by caps lock: no crc: F0B8 crc check: ok Programs should... * check CRC, - did key decrypt properly * check secret ID UID against database - who is really trying to login * verify timestamp counter fields against replay * optionally check timer and time delta against a previous request NOTE The Public UID is optional, but then all UIDs will need to use same AES key. The UID does NOT have to match the fixed public UID, but is generally used to find the AES key to use. Generally it should be the same. ------------------------------------------------------------------------------- Static Password You can get a yubikey to output a static modhex encrypted string OR you can somehow set the yubikey to output english keyboard scancodes for any key sequence you like. How???? # Static encrypted string ykpersonalize -2 -a1b7c9370433d06a9bdec2500c1a0dffc -ofixed=h:112233445566 \ -ouid=h:112233445566 -ostatic-ticket output... ???? ------------------------------------------------------------------------------- Your own OpenID server from YubiKey Download Community-ID and install: http://source.keyboard-monkeys.org/projects/show/communityid Get yourself a Yubico API key: https://api.yubico.com/get-api-key/ Edit the config.php generated during the install: # # ------- YUBIKEY ------------ # $config['yubikey']['enabled'] = true; # Set to true to force utilization of the Yubikey, instead of passwords. # Only use it for newer installations, as current existent users won't be able to log-in. $config['yubikey']['force'] = false; $config['yubikey']['api_id'] = '1234'; $config['yubikey']['api_key'] = '1Ab+CdEfgHi/jkl2M3nOp4qrsT5='; For to factor authentication there is a 'diff' to apply http://source.keyboard-monkeys.org/attachments/download/136/twofactor-password-yubikey.diff See bottom of http://conf.linux.org.au/wiki/Yubikey ------------------------------------------------------------------------------- PAM Add to auth-common auth sufficent pam_yubikey.so Also see two-factor authentication patch That is you login using "password OTPpassword" Patch http://git.longlandclan.yi.org/?p=overlays/yubikey.git;a=blob;f=sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch Guide http://stuartl.longlandclan.yi.org/blog/2011/02/17/yubikey-ebuilds-and-patches-for-gentoo/ ------------------------------------------------------------------------------- Autolock (Screensave) on Key remove.. http://forum.yubico.com/viewtopic.php?f=11&t=246 -------------------------------------------------------------------------------