Difference between revisions of "Yubikey"
m (→Yubikey 4) |
m |
||
Line 8: | Line 8: | ||
==OTP test== |
==OTP test== |
||
Can be performed without any install as OTP is using the keyboard emulation mode. |
Can be performed without any install as OTP is using the keyboard emulation mode. |
||
+ | <br>Visit https://demo.yubico.com/ |
||
<br>''As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.'' |
<br>''As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.'' |
||
<br>''Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.'' |
<br>''Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.'' |
||
Line 44: | Line 45: | ||
Change connection mode [OTP+U2F] |
Change connection mode [OTP+U2F] |
||
We can change its name for sth more convivial |
We can change its name for sth more convivial |
||
− | <br>There are three |
+ | <br>There are three supports that can be activated: |
* ''The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.'' |
* ''The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.'' |
||
* ''The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.'' |
* ''The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.'' |
||
Line 231: | Line 232: | ||
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library |
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library |
||
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations |
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations |
||
+ | =YubiKey 4C Nano= |
||
− | =Yubikey 4= |
||
Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 |
Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 |
||
− | <br>This is probably not what you want. |
||
See also https://wiki.debian.org/Smartcards/YubiKey4 |
See also https://wiki.debian.org/Smartcards/YubiKey4 |
||
+ | ==First time plugged== |
||
+ | new full-speed USB device number 2 using xhci_hcd |
||
+ | New USB device found, idVendor=1050, idProduct=0407 |
||
+ | New USB device strings: Mfr=1, Product=2, SerialNumber=0 |
||
+ | Product: Yubikey 4 OTP+U2F+CCID |
||
+ | Manufacturer: Yubico |
||
+ | input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.6/0000:06:00.0/0000:07:02.0/0000:3e:00.0/usb3/3-1/3-1:1.0/0003:1050:0407.0004/input/input26 |
||
+ | hid-generic 0003:1050:0407.0004: input,hidraw2: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input0 |
||
+ | hid-generic 0003:1050:0407.0005: hiddev2,hidraw3: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input1 |
||
+ | |||
+ | ==OTP test== |
||
+ | Parameters |
||
+ | tab=one-factor |
||
+ | mode=one-factor |
||
+ | key=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu |
||
+ | identity=cccccchkrlrl |
||
+ | serial=6933194 |
||
+ | |||
+ | Authentication Output |
||
+ | h=Z1jquAXFhhPvZJL2AvbAnhFqVOw= |
||
+ | t=2017-12-07T13:52:56Z0602 |
||
+ | otp=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu |
||
+ | nonce=9cdcd3a9cb255714b6bfb7250542010f |
||
+ | sl=25 |
||
+ | status=OK |
||
+ | |||
+ | ==Install== |
||
+ | pcsc_scan results: |
||
+ | <pre> |
||
+ | Reader 2: Yubico Yubikey 4 OTP+U2F+CCID 02 00 |
||
+ | Card state: Card inserted, |
||
+ | ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | |||
+ | ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | + TS = 3B --> Direct Convention |
||
+ | + T0 = F8, Y(1): 1111, K: 8 (historical bytes) |
||
+ | TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU |
||
+ | 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s |
||
+ | TB(1) = 00 --> VPP is not electrically connected |
||
+ | TC(1) = 00 --> Extra guard time: 0 |
||
+ | TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 |
||
+ | ----- |
||
+ | TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 |
||
+ | ----- |
||
+ | TA(3) = FE --> IFSC: 254 |
||
+ | TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 |
||
+ | + Historical bytes: 59 75 62 69 6B 65 79 34 |
||
+ | Category indicator byte: 59 (proprietary format) |
||
+ | + TCK = D4 (correct checksum) |
||
+ | |||
+ | Possibly identified card (using /home/phil/.cache/smartcard_list.txt): |
||
+ | 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | Yubico Yubikey 4 OTP+CCID |
||
+ | </pre> |
Revision as of 16:38, 7 December 2017
Yubikey Neo Nano
First time plugged
new full-speed USB device number 31 using xhci_hcd New USB device found, idVendor=1050, idProduct=0114 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey NEO OTP+U2F Manufacturer: Yubico
OTP test
Can be performed without any install as OTP is using the keyboard emulation mode.
Visit https://demo.yubico.com/
As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.
Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.
Parameters device=neonano key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl identity=ccccccdugjdb serial=3037217 Authentication Output h=sznj5f+KKweKLObaoMo44IJMGOM= t=2015-03-12T19:37:09Z0788 otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl nonce=a830bdee7aa3735626ea90bcd5b2428c sl=25 status=OK
Install
For CCID & U2F, one needs some extra steps.
Note that contrary to what is said in Yubico docs, mine had already the mode U2F activated.
To use U2F with Chrome, install FIDO U2F plugin
We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf
Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz
We could use "python setup.py install --user" but it would also install locally pySide which we install properly via apt-get
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host tar yubikey-neo-manager-1.1.0.tar.gz cd yubikey-neo-manager-1.1.0 cp scripts/neoman neoman.py ./neoman.py
Serial: 3037217 FW version: 3.3.0 U2F/FIDO: supported Change connection mode [OTP+U2F]
We can change its name for sth more convivial
There are three supports that can be activated:
- The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
- The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
- The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.
Activate all supports:
- Change connection mode => +OTP +CCID +U2F
- unplug/wait/replug
Now we see available applets
- YubiKey OTP
- YubiOATH
- Yubico U2F
- OpenPGP
- Yubico PIV
pcsc_scan results:
Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00 Card state: Card inserted, ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 + TS = 3B --> Direct Convention + T0 = FC, Y(1): 1111, K: 12 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33 Category indicator byte: 59 (proprietary format) + TCK = E1 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 YubiKey NEO (PKI) http://www.yubico.com/
FIDO U2F test (registration)
Go to https://demo.yubico.com/start/u2f/neonano
Register:
Create doegox / demodemo
Login Data username: doegox password: demodemo Enroll Data origin: https://demo.yubico.com version: U2F_V2 challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4 appId: https://demo.yubico.com Response Data clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""} registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b Attestation Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 1918419690 (0x7258c2ea) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN=Yubico U2F EE Serial 14803321578 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c: a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81: 16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0: bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13: 9b:93:8b:31:0b ASN1 OID: prime256v1 X509v3 extensions: 1.3.6.1.4.1.41482.1.2: Signature Algorithm: sha256WithRSAEncryption bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac: ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d: 1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1: 40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94: 4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00: 09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6: 73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7: b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7: 30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff: 67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63: 2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29: 3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67: c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91: 21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9: 0e:15:12:ea -----BEGIN CERTIFICATE----- MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC 8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3 MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9 MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7 NaYntkqCt/lRIWLZDhUS6g== -----END CERTIFICATE-----
FIDO U2F test (login)
Login Data username: doegox password: demodemo Challenge Data version: U2F_V2 challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q Response Data clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""} signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij Authentication Parameters touch: true counter: 1
Configuration
yubikey-personalization-gui
or
man ykpersonalize
- Go to https://security.google.com/settings/security/securitykey/add
- Press Register then touch the key
OpenPGP
For info, applet source here
Make user CCID mode is activated
See GnuPG#Yubikey
TODO
- https://www.yubico.com/2012/12/yubikey-neo-openpgp/
- https://www.2realities.com/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/
- https://wiki.gnome.org/Projects/GnomeKeyring
Misc
- First time use
- Yubico applications
- Modhex calculator
- OpenSource
- http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way
Other Debian packages
libauth-yubikey-decrypter-perl - yubikey token output decryptor libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware yhsm-daemon - YubiHSM server daemon yhsm-tools - Common files for YubiHSM applications yhsm-validation-server - Validation server using YubiHSM yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys python-yubico-tools - Tools for Yubico YubiKeys libykclient3 - Yubikey client library runtime libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens yubikey-server-c - Yubikey validation server yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens yubiserver - Yubikey OTP and HOTP/OATH Validation Server libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations
YubiKey 4C Nano
Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368
See also https://wiki.debian.org/Smartcards/YubiKey4
First time plugged
new full-speed USB device number 2 using xhci_hcd New USB device found, idVendor=1050, idProduct=0407 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey 4 OTP+U2F+CCID Manufacturer: Yubico input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.6/0000:06:00.0/0000:07:02.0/0000:3e:00.0/usb3/3-1/3-1:1.0/0003:1050:0407.0004/input/input26 hid-generic 0003:1050:0407.0004: input,hidraw2: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input0 hid-generic 0003:1050:0407.0005: hiddev2,hidraw3: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input1
OTP test
Parameters tab=one-factor mode=one-factor key=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu identity=cccccchkrlrl serial=6933194 Authentication Output h=Z1jquAXFhhPvZJL2AvbAnhFqVOw= t=2017-12-07T13:52:56Z0602 otp=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu nonce=9cdcd3a9cb255714b6bfb7250542010f sl=25 status=OK
Install
pcsc_scan results:
Reader 2: Yubico Yubikey 4 OTP+U2F+CCID 02 00 Card state: Card inserted, ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 + TS = 3B --> Direct Convention + T0 = F8, Y(1): 1111, K: 8 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 34 Category indicator byte: 59 (proprietary format) + TCK = D4 (correct checksum) Possibly identified card (using /home/phil/.cache/smartcard_list.txt): 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 Yubico Yubikey 4 OTP+CCID