Difference between revisions of "Yubikey"
m |
|||
(22 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
Manufacturer: Yubico |
Manufacturer: Yubico |
||
==OTP test== |
==OTP test== |
||
− | Can be performed without any install as OTP is using the keyboard emulation mode |
+ | Can be performed without any install as OTP is using the keyboard emulation mode. |
+ | <br>Visit https://demo.yubico.com/ |
||
+ | <br>''As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.'' |
||
+ | <br>''Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.'' |
||
Parameters |
Parameters |
||
device=neonano |
device=neonano |
||
Line 21: | Line 24: | ||
sl=25 |
sl=25 |
||
status=OK |
status=OK |
||
+ | |||
==Install== |
==Install== |
||
For CCID & U2F, one needs some extra steps. |
For CCID & U2F, one needs some extra steps. |
||
Line 29: | Line 33: | ||
We need the yubikey neo manager, cf [https://www.yubico.com/wp-content/uploads/2014/11/NEO-Manager-Quick-Start-Guide.pdf NEO-Manager-Quick-Start-Guide.pdf] |
We need the yubikey neo manager, cf [https://www.yubico.com/wp-content/uploads/2014/11/NEO-Manager-Quick-Start-Guide.pdf NEO-Manager-Quick-Start-Guide.pdf] |
||
Install [https://developers.yubico.com/yubikey-neo-manager/Releases/ Yubikey neo manager], here [https://developers.yubico.com/yubikey-neo-manager/Releases/yubikey-neo-manager-1.1.0.tar.gz yubikey-neo-manager-1.1.0.tar.gz] |
Install [https://developers.yubico.com/yubikey-neo-manager/Releases/ Yubikey neo manager], here [https://developers.yubico.com/yubikey-neo-manager/Releases/yubikey-neo-manager-1.1.0.tar.gz yubikey-neo-manager-1.1.0.tar.gz] |
||
+ | <br>We could use "python setup.py install --user" but it would also install locally pySide which we install properly via apt-get |
||
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host |
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host |
||
tar yubikey-neo-manager-1.1.0.tar.gz |
tar yubikey-neo-manager-1.1.0.tar.gz |
||
− | cd yubikey-neo-manager-1.1.0 |
+ | cd yubikey-neo-manager-1.1.0 |
− | + | cp scripts/neoman neoman.py |
|
+ | ./neoman.py |
||
Serial: 3037217 |
Serial: 3037217 |
||
Line 39: | Line 45: | ||
Change connection mode [OTP+U2F] |
Change connection mode [OTP+U2F] |
||
We can change its name for sth more convivial |
We can change its name for sth more convivial |
||
− | <br>There are three |
+ | <br>There are three supports that can be activated: |
− | * The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password. |
+ | * ''The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.'' |
− | * The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH. |
+ | * ''The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.'' |
− | * The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n. |
+ | * ''The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.'' |
Activate all supports: |
Activate all supports: |
||
* Change connection mode => +OTP +CCID +U2F |
* Change connection mode => +OTP +CCID +U2F |
||
Line 81: | Line 87: | ||
http://www.yubico.com/ |
http://www.yubico.com/ |
||
</pre> |
</pre> |
||
+ | |||
− | ==FIDO U2F test== |
||
+ | ==FIDO U2F test (registration)== |
||
− | ===Test: register=== |
||
<br>Go to https://demo.yubico.com/start/u2f/neonano |
<br>Go to https://demo.yubico.com/start/u2f/neonano |
||
<br> |
<br> |
||
Line 157: | Line 163: | ||
-----END CERTIFICATE----- |
-----END CERTIFICATE----- |
||
</pre> |
</pre> |
||
− | == |
+ | ==FIDO U2F test (login)== |
<pre> |
<pre> |
||
Login Data |
Login Data |
||
Line 176: | Line 182: | ||
counter: 1 |
counter: 1 |
||
</pre> |
</pre> |
||
+ | |||
+ | ==Configuration== |
||
+ | yubikey-personalization-gui |
||
+ | or |
||
+ | man ykpersonalize |
||
+ | ==Google== |
||
+ | * Go to https://security.google.com/settings/security/securitykey/add |
||
+ | * Press Register then touch the key |
||
+ | ==OpenPGP== |
||
+ | For info, applet source [https://github.com/Yubico/ykneo-openpgp here] |
||
+ | <br>Make user CCID mode is activated |
||
+ | |||
+ | See [[GnuPG#Yubikey]] |
||
+ | |||
+ | TODO |
||
+ | * https://www.yubico.com/2012/12/yubikey-neo-openpgp/ |
||
+ | * https://www.2realities.com/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/ |
||
+ | * https://wiki.gnome.org/Projects/GnomeKeyring |
||
+ | |||
==Misc== |
==Misc== |
||
* [https://www.yubico.com/start/ First time use] |
* [https://www.yubico.com/start/ First time use] |
||
Line 181: | Line 206: | ||
* [https://www.yubico.com/applications/ Yubico applications] |
* [https://www.yubico.com/applications/ Yubico applications] |
||
* [https://demo.yubico.com/php-yubico/Modhex_Calculator.php Modhex calculator] |
* [https://demo.yubico.com/php-yubico/Modhex_Calculator.php Modhex calculator] |
||
+ | * [https://developers.yubico.com/ OpenSource] |
||
* http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way |
* http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way |
||
+ | |||
==Other Debian packages== |
==Other Debian packages== |
||
libauth-yubikey-decrypter-perl - yubikey token output decryptor |
libauth-yubikey-decrypter-perl - yubikey token output decryptor |
||
Line 205: | Line 232: | ||
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library |
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library |
||
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations |
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations |
||
+ | =YubiKey 4C Nano= |
||
+ | Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 |
||
+ | |||
+ | See also https://wiki.debian.org/Smartcards/YubiKey4 |
||
+ | ==First time plugged== |
||
+ | new full-speed USB device number 2 using xhci_hcd |
||
+ | New USB device found, idVendor=1050, idProduct=0407 |
||
+ | New USB device strings: Mfr=1, Product=2, SerialNumber=0 |
||
+ | Product: Yubikey 4 OTP+U2F+CCID |
||
+ | Manufacturer: Yubico |
||
+ | input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.6/0000:06:00.0/0000:07:02.0/0000:3e:00.0/usb3/3-1/3-1:1.0/0003:1050:0407.0004/input/input26 |
||
+ | hid-generic 0003:1050:0407.0004: input,hidraw2: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input0 |
||
+ | hid-generic 0003:1050:0407.0005: hiddev2,hidraw3: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input1 |
||
+ | |||
+ | ==OTP test== |
||
+ | Parameters |
||
+ | tab=one-factor |
||
+ | mode=one-factor |
||
+ | key=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu |
||
+ | identity=cccccchkrlrl |
||
+ | serial=6933194 |
||
+ | |||
+ | Authentication Output |
||
+ | h=Z1jquAXFhhPvZJL2AvbAnhFqVOw= |
||
+ | t=2017-12-07T13:52:56Z0602 |
||
+ | otp=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu |
||
+ | nonce=9cdcd3a9cb255714b6bfb7250542010f |
||
+ | sl=25 |
||
+ | status=OK |
||
+ | |||
+ | ==Install== |
||
+ | pcsc_scan results: |
||
+ | <pre> |
||
+ | Reader 2: Yubico Yubikey 4 OTP+U2F+CCID 02 00 |
||
+ | Card state: Card inserted, |
||
+ | ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | |||
+ | ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | + TS = 3B --> Direct Convention |
||
+ | + T0 = F8, Y(1): 1111, K: 8 (historical bytes) |
||
+ | TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU |
||
+ | 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s |
||
+ | TB(1) = 00 --> VPP is not electrically connected |
||
+ | TC(1) = 00 --> Extra guard time: 0 |
||
+ | TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 |
||
+ | ----- |
||
+ | TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 |
||
+ | ----- |
||
+ | TA(3) = FE --> IFSC: 254 |
||
+ | TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 |
||
+ | + Historical bytes: 59 75 62 69 6B 65 79 34 |
||
+ | Category indicator byte: 59 (proprietary format) |
||
+ | + TCK = D4 (correct checksum) |
||
+ | |||
+ | Possibly identified card (using /home/phil/.cache/smartcard_list.txt): |
||
+ | 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 |
||
+ | Yubico Yubikey 4 OTP+CCID |
||
+ | </pre> |
||
+ | |||
+ | <pre> |
||
+ | # apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubico-piv-tool |
||
+ | |||
+ | $ ykinfo -a |
||
+ | serial: 6933194 |
||
+ | serial_hex: 69caca |
||
+ | serial_modhex: hkrlrl |
||
+ | version: 4.3.7 |
||
+ | touch_level: 1029 |
||
+ | programming_sequence: 1 |
||
+ | slot1_status: 1 |
||
+ | slot2_status: 0 |
||
+ | vendor_id: 1050 |
||
+ | product_id: 407 |
||
+ | |||
+ | $ ykinfo -c |
||
+ | capabilities: 0c0101ff02040069caca03013f |
||
+ | |||
+ | $ yubikey-personalization-gui & |
||
+ | |||
+ | $ neoman & |
||
+ | </pre> |
||
+ | |||
+ | Connection mode: |
||
+ | * OTP+U2F+CCID |
||
+ | |||
+ | Now we see available applets |
||
+ | * YubiKey OTP |
||
+ | * YubiOATH |
||
+ | * Yubico U2F |
||
+ | * OpenPGP |
||
+ | * Yubico PIV |
||
+ | |||
+ | ==Disabling HID== |
||
+ | |||
+ | <source lang=bash> |
||
+ | $ ykpersonalize -m5 |
||
+ | Firmware version 4.3.7 Touch level 1029 Program sequence 1 |
||
+ | The USB mode will be set to: 0x5 |
||
+ | Commit? (y/n) [n]: y |
||
+ | WARNING: Changing mode will require you to use another tool (ykneomgr or u2f-host) to switch back if OTP mode is disabled, really commit? (y/n) [n]: y |
||
+ | |||
+ | # Re-plug |
||
+ | |||
+ | $ ykpersonalize |
||
+ | Yubikey core error: no yubikey present |
||
+ | |||
+ | $ ykneomgr -m |
||
+ | 05 |
||
+ | </source> |
||
+ | |||
+ | ==A new key== |
||
+ | |||
+ | This is a weird usage :) |
||
+ | |||
+ | The "`/~" key of my keyboard got broken (along with F1 and F2 but I can live without them). |
||
+ | |||
+ | So I'm using the static password feature to get back that dead deadkey... |
||
+ | |||
+ | <source lang=bash> |
||
+ | # Re-enable HID (and disable U2F): |
||
+ | $ ykneomgr -M 2 |
||
+ | |||
+ | # Configure with the GUI |
||
+ | $ yubikey-personalization-gui |
||
+ | ## Settings / "Enter" (to disable automatic carriage-return, it must be unselected) |
||
+ | ## Settings / "Use fast triggering" (as I don't use slot2, it becomes more responsive and skip the 0.3s delay) |
||
+ | ## Static Password / Scan code / Configuration Slot 1 / Keyboard: US layout / Password: "`" (scancode=35) / Write configuration |
||
+ | </source> |
||
+ | |||
+ | Now the key works as expected (it's a deadkey in the US intl mode) and works with modifiers such as "Shift" \o/ |
||
+ | |||
+ | ==Thunderbird/Gpg Exclusive Mode== |
||
+ | |||
+ | Thunderbird (actually the command-line gpg) requires connecting to the YubiKey in Exclusive Mode but if e.g. the Brave browser was started before, it has already opened the connection in Shared Mode. |
||
+ | One can add to the script to launch the browser: |
||
+ | <pre> |
||
+ | ( sleep 3; pcsc_scan -n -c |grep -i -A3 "YubiKey"|grep -i -q "Shared Mode" && sudo service pcscd restart ) & |
||
+ | </pre> |
Latest revision as of 09:19, 25 April 2023
Yubikey Neo Nano
First time plugged
new full-speed USB device number 31 using xhci_hcd New USB device found, idVendor=1050, idProduct=0114 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey NEO OTP+U2F Manufacturer: Yubico
OTP test
Can be performed without any install as OTP is using the keyboard emulation mode.
Visit https://demo.yubico.com/
As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.
Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.
Parameters device=neonano key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl identity=ccccccdugjdb serial=3037217 Authentication Output h=sznj5f+KKweKLObaoMo44IJMGOM= t=2015-03-12T19:37:09Z0788 otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl nonce=a830bdee7aa3735626ea90bcd5b2428c sl=25 status=OK
Install
For CCID & U2F, one needs some extra steps.
Note that contrary to what is said in Yubico docs, mine had already the mode U2F activated.
To use U2F with Chrome, install FIDO U2F plugin
We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf
Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz
We could use "python setup.py install --user" but it would also install locally pySide which we install properly via apt-get
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host tar yubikey-neo-manager-1.1.0.tar.gz cd yubikey-neo-manager-1.1.0 cp scripts/neoman neoman.py ./neoman.py
Serial: 3037217 FW version: 3.3.0 U2F/FIDO: supported Change connection mode [OTP+U2F]
We can change its name for sth more convivial
There are three supports that can be activated:
- The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
- The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
- The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.
Activate all supports:
- Change connection mode => +OTP +CCID +U2F
- unplug/wait/replug
Now we see available applets
- YubiKey OTP
- YubiOATH
- Yubico U2F
- OpenPGP
- Yubico PIV
pcsc_scan results:
Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00 Card state: Card inserted, ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 + TS = 3B --> Direct Convention + T0 = FC, Y(1): 1111, K: 12 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33 Category indicator byte: 59 (proprietary format) + TCK = E1 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 YubiKey NEO (PKI) http://www.yubico.com/
FIDO U2F test (registration)
Go to https://demo.yubico.com/start/u2f/neonano
Register:
Create doegox / demodemo
Login Data username: doegox password: demodemo Enroll Data origin: https://demo.yubico.com version: U2F_V2 challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4 appId: https://demo.yubico.com Response Data clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""} registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b Attestation Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 1918419690 (0x7258c2ea) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN=Yubico U2F EE Serial 14803321578 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c: a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81: 16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0: bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13: 9b:93:8b:31:0b ASN1 OID: prime256v1 X509v3 extensions: 1.3.6.1.4.1.41482.1.2: Signature Algorithm: sha256WithRSAEncryption bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac: ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d: 1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1: 40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94: 4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00: 09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6: 73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7: b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7: 30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff: 67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63: 2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29: 3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67: c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91: 21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9: 0e:15:12:ea -----BEGIN CERTIFICATE----- MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC 8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3 MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9 MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7 NaYntkqCt/lRIWLZDhUS6g== -----END CERTIFICATE-----
FIDO U2F test (login)
Login Data username: doegox password: demodemo Challenge Data version: U2F_V2 challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q Response Data clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""} signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij Authentication Parameters touch: true counter: 1
Configuration
yubikey-personalization-gui
or
man ykpersonalize
- Go to https://security.google.com/settings/security/securitykey/add
- Press Register then touch the key
OpenPGP
For info, applet source here
Make user CCID mode is activated
See GnuPG#Yubikey
TODO
- https://www.yubico.com/2012/12/yubikey-neo-openpgp/
- https://www.2realities.com/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/
- https://wiki.gnome.org/Projects/GnomeKeyring
Misc
- First time use
- Yubico applications
- Modhex calculator
- OpenSource
- http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way
Other Debian packages
libauth-yubikey-decrypter-perl - yubikey token output decryptor libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware yhsm-daemon - YubiHSM server daemon yhsm-tools - Common files for YubiHSM applications yhsm-validation-server - Validation server using YubiHSM yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys python-yubico-tools - Tools for Yubico YubiKeys libykclient3 - Yubikey client library runtime libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens yubikey-server-c - Yubikey validation server yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens yubiserver - Yubikey OTP and HOTP/OATH Validation Server libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations
YubiKey 4C Nano
Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368
See also https://wiki.debian.org/Smartcards/YubiKey4
First time plugged
new full-speed USB device number 2 using xhci_hcd New USB device found, idVendor=1050, idProduct=0407 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey 4 OTP+U2F+CCID Manufacturer: Yubico input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.6/0000:06:00.0/0000:07:02.0/0000:3e:00.0/usb3/3-1/3-1:1.0/0003:1050:0407.0004/input/input26 hid-generic 0003:1050:0407.0004: input,hidraw2: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input0 hid-generic 0003:1050:0407.0005: hiddev2,hidraw3: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input1
OTP test
Parameters tab=one-factor mode=one-factor key=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu identity=cccccchkrlrl serial=6933194 Authentication Output h=Z1jquAXFhhPvZJL2AvbAnhFqVOw= t=2017-12-07T13:52:56Z0602 otp=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu nonce=9cdcd3a9cb255714b6bfb7250542010f sl=25 status=OK
Install
pcsc_scan results:
Reader 2: Yubico Yubikey 4 OTP+U2F+CCID 02 00 Card state: Card inserted, ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 + TS = 3B --> Direct Convention + T0 = F8, Y(1): 1111, K: 8 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 34 Category indicator byte: 59 (proprietary format) + TCK = D4 (correct checksum) Possibly identified card (using /home/phil/.cache/smartcard_list.txt): 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4 Yubico Yubikey 4 OTP+CCID
# apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubico-piv-tool $ ykinfo -a serial: 6933194 serial_hex: 69caca serial_modhex: hkrlrl version: 4.3.7 touch_level: 1029 programming_sequence: 1 slot1_status: 1 slot2_status: 0 vendor_id: 1050 product_id: 407 $ ykinfo -c capabilities: 0c0101ff02040069caca03013f $ yubikey-personalization-gui & $ neoman &
Connection mode:
- OTP+U2F+CCID
Now we see available applets
- YubiKey OTP
- YubiOATH
- Yubico U2F
- OpenPGP
- Yubico PIV
Disabling HID
$ ykpersonalize -m5
Firmware version 4.3.7 Touch level 1029 Program sequence 1
The USB mode will be set to: 0x5
Commit? (y/n) [n]: y
WARNING: Changing mode will require you to use another tool (ykneomgr or u2f-host) to switch back if OTP mode is disabled, really commit? (y/n) [n]: y
# Re-plug
$ ykpersonalize
Yubikey core error: no yubikey present
$ ykneomgr -m
05
A new key
This is a weird usage :)
The "`/~" key of my keyboard got broken (along with F1 and F2 but I can live without them).
So I'm using the static password feature to get back that dead deadkey...
# Re-enable HID (and disable U2F):
$ ykneomgr -M 2
# Configure with the GUI
$ yubikey-personalization-gui
## Settings / "Enter" (to disable automatic carriage-return, it must be unselected)
## Settings / "Use fast triggering" (as I don't use slot2, it becomes more responsive and skip the 0.3s delay)
## Static Password / Scan code / Configuration Slot 1 / Keyboard: US layout / Password: "`" (scancode=35) / Write configuration
Now the key works as expected (it's a deadkey in the US intl mode) and works with modifiers such as "Shift" \o/
Thunderbird/Gpg Exclusive Mode
Thunderbird (actually the command-line gpg) requires connecting to the YubiKey in Exclusive Mode but if e.g. the Brave browser was started before, it has already opened the connection in Shared Mode. One can add to the script to launch the browser:
( sleep 3; pcsc_scan -n -c |grep -i -A3 "YubiKey"|grep -i -q "Shared Mode" && sudo service pcscd restart ) &