Difference between revisions of "Yubikey"
m (→OpenPGP) |
|||
Line 192: | Line 192: | ||
For info, applet source [https://github.com/Yubico/ykneo-openpgp here] |
For info, applet source [https://github.com/Yubico/ykneo-openpgp here] |
||
<br>Make user CCID mode is activated |
<br>Make user CCID mode is activated |
||
+ | |||
+ | See [[GnuPG#Yubikey]] |
||
TODO |
TODO |
Revision as of 11:32, 10 October 2016
Yubikey Neo Nano
First time plugged
new full-speed USB device number 31 using xhci_hcd New USB device found, idVendor=1050, idProduct=0114 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey NEO OTP+U2F Manufacturer: Yubico
OTP test
Can be performed without any install as OTP is using the keyboard emulation mode.
As an HID device (keyboard), the YubiKey actually emits "scan codes" rather than actual characters. Different keyboard layouts have a different mapping between scan codes and the characters they represent.
Therefore, Yubico has designed a character set which is invariant between keyboard layouts which has 16 characters and we call the Modhex set – Modified Hexadecimal. Therefore, each character has 4 bits of entropy.
Parameters device=neonano key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl identity=ccccccdugjdb serial=3037217 Authentication Output h=sznj5f+KKweKLObaoMo44IJMGOM= t=2015-03-12T19:37:09Z0788 otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl nonce=a830bdee7aa3735626ea90bcd5b2428c sl=25 status=OK
Install
For CCID & U2F, one needs some extra steps.
Note that contrary to what is said in Yubico docs, mine had already the mode U2F activated.
To use U2F with Chrome, install FIDO U2F plugin
We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf
Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz
We could use "python setup.py install --user" but it would also install locally pySide which we install properly via apt-get
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host tar yubikey-neo-manager-1.1.0.tar.gz cd yubikey-neo-manager-1.1.0 cp scripts/neoman neoman.py ./neoman.py
Serial: 3037217 FW version: 3.3.0 U2F/FIDO: supported Change connection mode [OTP+U2F]
We can change its name for sth more convivial
There are three supportes that can be activated:
- The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
- The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
- The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.
Activate all supports:
- Change connection mode => +OTP +CCID +U2F
- unplug/wait/replug
Now we see available applets
- YubiKey OTP
- YubiOATH
- Yubico U2F
- OpenPGP
- Yubico PIV
pcsc_scan results:
Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00 Card state: Card inserted, ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 + TS = 3B --> Direct Convention + T0 = FC, Y(1): 1111, K: 12 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU 43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5 + Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33 Category indicator byte: 59 (proprietary format) + TCK = E1 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1 YubiKey NEO (PKI) http://www.yubico.com/
FIDO U2F test (registration)
Go to https://demo.yubico.com/start/u2f/neonano
Register:
Create doegox / demodemo
Login Data username: doegox password: demodemo Enroll Data origin: https://demo.yubico.com version: U2F_V2 challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4 appId: https://demo.yubico.com Response Data clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""} registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b Attestation Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 1918419690 (0x7258c2ea) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Yubico U2F Root CA Serial 457200631 Validity Not Before: Aug 1 00:00:00 2014 GMT Not After : Sep 4 00:00:00 2050 GMT Subject: CN=Yubico U2F EE Serial 14803321578 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c: a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81: 16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0: bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13: 9b:93:8b:31:0b ASN1 OID: prime256v1 X509v3 extensions: 1.3.6.1.4.1.41482.1.2: Signature Algorithm: sha256WithRSAEncryption bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac: ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d: 1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1: 40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94: 4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00: 09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6: 73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7: b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7: 30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff: 67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63: 2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29: 3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67: c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91: 21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9: 0e:15:12:ea -----BEGIN CERTIFICATE----- MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC 8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3 MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9 MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7 NaYntkqCt/lRIWLZDhUS6g== -----END CERTIFICATE-----
FIDO U2F test (login)
Login Data username: doegox password: demodemo Challenge Data version: U2F_V2 challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q Response Data clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""} signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij Authentication Parameters touch: true counter: 1
Configuration
yubikey-personalization-gui
or
man ykpersonalize
- Go to https://security.google.com/settings/security/securitykey/add
- Press Register then touch the key
OpenPGP
For info, applet source here
Make user CCID mode is activated
See GnuPG#Yubikey
TODO
- https://www.yubico.com/2012/12/yubikey-neo-openpgp/
- https://www.2realities.com/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/
- https://wiki.gnome.org/Projects/GnomeKeyring
Misc
- First time use
- Yubico applications
- Modhex calculator
- OpenSource
- http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way
Other Debian packages
libauth-yubikey-decrypter-perl - yubikey token output decryptor libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware yhsm-daemon - YubiHSM server daemon yhsm-tools - Common files for YubiHSM applications yhsm-validation-server - Validation server using YubiHSM yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys python-yubico-tools - Tools for Yubico YubiKeys libykclient3 - Yubikey client library runtime libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens yubikey-server-c - Yubikey validation server yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens yubiserver - Yubikey OTP and HOTP/OATH Validation Server libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations
Yubikey 4
Beware from this version on, Yubico replaced all open source components by closed-source ones: https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368
This is probably not what you want.