Difference between revisions of "Yubikey"

From YobiWiki
Jump to navigation Jump to search
m
 
(7 intermediate revisions by the same user not shown)
Line 289: Line 289:
 
3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
 
3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
 
Yubico Yubikey 4 OTP+CCID
 
Yubico Yubikey 4 OTP+CCID
  +
</pre>
  +
  +
<pre>
  +
# apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubico-piv-tool
  +
  +
$ ykinfo -a
  +
serial: 6933194
  +
serial_hex: 69caca
  +
serial_modhex: hkrlrl
  +
version: 4.3.7
  +
touch_level: 1029
  +
programming_sequence: 1
  +
slot1_status: 1
  +
slot2_status: 0
  +
vendor_id: 1050
  +
product_id: 407
  +
  +
$ ykinfo -c
  +
capabilities: 0c0101ff02040069caca03013f
  +
  +
$ yubikey-personalization-gui &
  +
  +
$ neoman &
  +
</pre>
  +
  +
Connection mode:
  +
* OTP+U2F+CCID
  +
  +
Now we see available applets
  +
* YubiKey OTP
  +
* YubiOATH
  +
* Yubico U2F
  +
* OpenPGP
  +
* Yubico PIV
  +
  +
==Disabling HID==
  +
  +
<source lang=bash>
  +
$ ykpersonalize -m5
  +
Firmware version 4.3.7 Touch level 1029 Program sequence 1
  +
The USB mode will be set to: 0x5
  +
Commit? (y/n) [n]: y
  +
WARNING: Changing mode will require you to use another tool (ykneomgr or u2f-host) to switch back if OTP mode is disabled, really commit? (y/n) [n]: y
  +
  +
# Re-plug
  +
  +
$ ykpersonalize
  +
Yubikey core error: no yubikey present
  +
  +
$ ykneomgr -m
  +
05
  +
</source>
  +
  +
==A new key==
  +
  +
This is a weird usage :)
  +
  +
The "`/~" key of my keyboard got broken (along with F1 and F2 but I can live without them).
  +
  +
So I'm using the static password feature to get back that dead deadkey...
  +
  +
<source lang=bash>
  +
# Re-enable HID (and disable U2F):
  +
$ ykneomgr -M 2
  +
  +
# Configure with the GUI
  +
$ yubikey-personalization-gui
  +
## Settings / "Enter" (to disable automatic carriage-return, it must be unselected)
  +
## Settings / "Use fast triggering" (as I don't use slot2, it becomes more responsive and skip the 0.3s delay)
  +
## Static Password / Scan code / Configuration Slot 1 / Keyboard: US layout / Password: "`" (scancode=35) / Write configuration
  +
</source>
  +
  +
Now the key works as expected (it's a deadkey in the US intl mode) and works with modifiers such as "Shift" \o/
  +
  +
==Thunderbird/Gpg Exclusive Mode==
  +
  +
Thunderbird (actually the command-line gpg) requires connecting to the YubiKey in Exclusive Mode but if e.g. the Brave browser was started before, it has already opened the connection in Shared Mode.
  +
One can add to the script to launch the browser:
  +
<pre>
  +
( sleep 3; pcsc_scan -n -c |grep -i -A3 "YubiKey"|grep -i -q "Shared Mode" && sudo service pcscd restart ) &
 
</pre>
 
</pre>

Latest revision as of 09:19, 25 April 2023

Yubikey Neo Nano

First time plugged

new full-speed USB device number 31 using xhci_hcd
New USB device found, idVendor=1050, idProduct=0114
New USB device strings: Mfr=1, Product=2, SerialNumber=0
Product: Yubikey NEO OTP+U2F
Manufacturer: Yubico

OTP test

Can be performed without any install as OTP is using the keyboard emulation mode.
Visit https://demo.yubico.com/
As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.
Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.

Parameters
device=neonano
key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl
identity=ccccccdugjdb
serial=3037217

Authentication Output
h=sznj5f+KKweKLObaoMo44IJMGOM=
t=2015-03-12T19:37:09Z0788
otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl
nonce=a830bdee7aa3735626ea90bcd5b2428c
sl=25
status=OK

Install

For CCID & U2F, one needs some extra steps.
Note that contrary to what is said in Yubico docs, mine had already the mode U2F activated.

To use U2F with Chrome, install FIDO U2F plugin

We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz
We could use "python setup.py install --user" but it would also install locally pySide which we install properly via apt-get

sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host
tar yubikey-neo-manager-1.1.0.tar.gz
cd yubikey-neo-manager-1.1.0
cp scripts/neoman neoman.py
./neoman.py
Serial: 3037217
FW version: 3.3.0
U2F/FIDO: supported
Change connection mode [OTP+U2F]

We can change its name for sth more convivial
There are three supports that can be activated:

  • The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
  • The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
  • The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.

Activate all supports:

  • Change connection mode => +OTP +CCID +U2F
  • unplug/wait/replug

Now we see available applets

  • YubiKey OTP
  • YubiOATH
  • Yubico U2F
  • OpenPGP
  • Yubico PIV

pcsc_scan results:

Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
	YubiKey NEO (PKI)
	http://www.yubico.com/

FIDO U2F test (registration)


Go to https://demo.yubico.com/start/u2f/neonano

Register:
Create doegox / demodemo

Login Data
username: doegox
password: demodemo

Enroll Data
origin: https://demo.yubico.com
version: U2F_V2
challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4
appId: https://demo.yubico.com

Response Data
clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""}
registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b

Attestation Certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1918419690 (0x7258c2ea)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Yubico U2F Root CA Serial 457200631
        Validity
            Not Before: Aug  1 00:00:00 2014 GMT
            Not After : Sep  4 00:00:00 2050 GMT
        Subject: CN=Yubico U2F EE Serial 14803321578
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c:
                    a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81:
                    16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0:
                    bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13:
                    9b:93:8b:31:0b
                ASN1 OID: prime256v1
        X509v3 extensions:
            1.3.6.1.4.1.41482.1.2: 
               
    Signature Algorithm: sha256WithRSAEncryption
         bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac:
         ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d:
         1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1:
         40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94:
         4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00:
         09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6:
         73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7:
         b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7:
         30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff:
         67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63:
         2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29:
         3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67:
         c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91:
         21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9:
         0e:15:12:ea
-----BEGIN CERTIFICATE-----
MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy
aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU
MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a
IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA
vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz
rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC
8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3
MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9
MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7
NaYntkqCt/lRIWLZDhUS6g==
-----END CERTIFICATE-----

FIDO U2F test (login)

Login Data
username: doegox
password: demodemo

Challenge Data
version: U2F_V2
challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc
keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q

Response Data
clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""}
signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij

Authentication Parameters
touch: true
counter: 1

Configuration

yubikey-personalization-gui

or

man ykpersonalize

Google

OpenPGP

For info, applet source here
Make user CCID mode is activated

See GnuPG#Yubikey

TODO

Misc

Other Debian packages

libauth-yubikey-decrypter-perl - yubikey token output decryptor
libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware
yhsm-daemon - YubiHSM server daemon
yhsm-tools - Common files for YubiHSM applications
yhsm-validation-server - Validation server using YubiHSM
yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys
python-yubico-tools - Tools for Yubico YubiKeys
libykclient3 - Yubikey client library runtime
libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens
yubikey-server-c - Yubikey validation server
yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens
yubiserver - Yubikey OTP and HOTP/OATH Validation Server
libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations

YubiKey 4C Nano

Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368

See also https://wiki.debian.org/Smartcards/YubiKey4

First time plugged

new full-speed USB device number 2 using xhci_hcd
New USB device found, idVendor=1050, idProduct=0407
New USB device strings: Mfr=1, Product=2, SerialNumber=0
Product: Yubikey 4 OTP+U2F+CCID
Manufacturer: Yubico
input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:1d.6/0000:06:00.0/0000:07:02.0/0000:3e:00.0/usb3/3-1/3-1:1.0/0003:1050:0407.0004/input/input26
hid-generic 0003:1050:0407.0004: input,hidraw2: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input0
hid-generic 0003:1050:0407.0005: hiddev2,hidraw3: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:3e:00.0-1/input1

OTP test

Parameters
tab=one-factor
mode=one-factor
key=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu
identity=cccccchkrlrl
serial=6933194

Authentication Output
h=Z1jquAXFhhPvZJL2AvbAnhFqVOw=
t=2017-12-07T13:52:56Z0602
otp=cccccchkrlrljuhribikcfginlbvhunchknuelfunnlu
nonce=9cdcd3a9cb255714b6bfb7250542010f
sl=25
status=OK

Install

pcsc_scan results:

 Reader 2: Yubico Yubikey 4 OTP+U2F+CCID 02 00
  Card state: Card inserted, 
  ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4

ATR: 3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
+ TS = 3B --> Direct Convention
+ T0 = F8, Y(1): 1111, K: 8 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 34
  Category indicator byte: 59 (proprietary format)
+ TCK = D4 (correct checksum)

Possibly identified card (using /home/phil/.cache/smartcard_list.txt):
3B F8 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 34 D4
	Yubico Yubikey 4 OTP+CCID
# apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubico-piv-tool

$ ykinfo -a
serial: 6933194
serial_hex: 69caca
serial_modhex: hkrlrl
version: 4.3.7
touch_level: 1029
programming_sequence: 1
slot1_status: 1
slot2_status: 0
vendor_id: 1050
product_id: 407

$ ykinfo -c
capabilities: 0c0101ff02040069caca03013f

$ yubikey-personalization-gui &

$ neoman &

Connection mode:

  • OTP+U2F+CCID

Now we see available applets

  • YubiKey OTP
  • YubiOATH
  • Yubico U2F
  • OpenPGP
  • Yubico PIV

Disabling HID

$ ykpersonalize -m5
Firmware version 4.3.7 Touch level 1029 Program sequence 1
The USB mode will be set to: 0x5
Commit? (y/n) [n]: y
WARNING: Changing mode will require you to use another tool (ykneomgr or u2f-host) to switch back if OTP mode is disabled, really commit? (y/n) [n]: y

# Re-plug

$ ykpersonalize 
Yubikey core error: no yubikey present

$ ykneomgr -m
05

A new key

This is a weird usage :)

The "`/~" key of my keyboard got broken (along with F1 and F2 but I can live without them).

So I'm using the static password feature to get back that dead deadkey...

# Re-enable HID (and disable U2F):
$ ykneomgr -M 2

# Configure with the GUI
$ yubikey-personalization-gui
## Settings / "Enter" (to disable automatic carriage-return, it must be unselected)
## Settings / "Use fast triggering" (as I don't use slot2, it becomes more responsive and skip the 0.3s delay)
## Static Password / Scan code / Configuration Slot 1 / Keyboard: US layout / Password: "`" (scancode=35) / Write configuration

Now the key works as expected (it's a deadkey in the US intl mode) and works with modifiers such as "Shift" \o/

Thunderbird/Gpg Exclusive Mode

Thunderbird (actually the command-line gpg) requires connecting to the YubiKey in Exclusive Mode but if e.g. the Brave browser was started before, it has already opened the connection in Shared Mode. One can add to the script to launch the browser:

( sleep 3; pcsc_scan -n -c |grep -i -A3 "YubiKey"|grep -i -q "Shared Mode" && sudo service pcscd restart ) &