Yubikey
Yubikey Neo Nano
First time plugged
new full-speed USB device number 31 using xhci_hcd New USB device found, idVendor=1050, idProduct=0114 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey NEO OTP+U2F Manufacturer: Yubico
First time use
Visit https://www.yubico.com/start/ -> https://demo.yubico.com/start/otp/neonano
First OTP test
Parameters device=neonano key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl identity=ccccccdugjdb serial=3037217 Authentication Output h=sznj5f+KKweKLObaoMo44IJMGOM= t=2015-03-12T19:37:09Z0788 otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl nonce=a830bdee7aa3735626ea90bcd5b2428c sl=25 status=OK
First FIDO U2F test
Install
To use it with Chrome, install FIDO U2F plugin
We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf
Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz
sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host tar yubikey-neo-manager-1.1.0.tar.gz cd yubikey-neo-manager-1.1.0/scripts ./neoman
Serial: 3037217 FW version: 3.3.0 U2F/FIDO: supported Change connection mode [OTP+U2F]
We can change its name for sth more convivial
There are three supportes that can be activated:
- The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
- The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
- The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.
Activate all supports:
- Change connection mode => +OTP +CCID +U2F
- unplug/wait/replug
Now we see available applets
- YubiKey OTP
- YubiOATH
- Yubico U2F
- OpenPGP
- Yubico PIV
Test: register
Go to https://demo.yubico.com/start/u2f/neonano
Register:
Create doegox / demodemo
Login Data username: doegox password: demodemo Enroll Data origin: https://demo.yubico.com version: U2F_V2 challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4 appId: https://demo.yubico.com Response Data clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""}
registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b
Attestation Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1918419690 (0x7258c2ea)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Yubico U2F Root CA Serial 457200631
Validity
Not Before: Aug 1 00:00:00 2014 GMT
Not After : Sep 4 00:00:00 2050 GMT
Subject: CN=Yubico U2F EE Serial 14803321578
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c:
a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81:
16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0:
bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13:
9b:93:8b:31:0b
ASN1 OID: prime256v1
X509v3 extensions:
1.3.6.1.4.1.41482.1.2:
Signature Algorithm: sha256WithRSAEncryption
bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac:
ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d:
1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1:
40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94:
4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00:
09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6:
73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7:
b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7:
30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff:
67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63:
2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29:
3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67:
c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91:
21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9:
0e:15:12:ea
-----BEGIN CERTIFICATE-----
MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy
aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU
MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a
IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA
vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz
rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC
8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3
MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9
MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7
NaYntkqCt/lRIWLZDhUS6g==
-----END CERTIFICATE-----
Test login
Login Data
username: doegox
password: demodemo
Challenge Data
version: U2F_V2
challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc
keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q
Response Data
clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""}
signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij
Authentication Parameters
touch: true
counter: 1
Misc
- Yubico applications
- Modhex calculator
- http://uname.pingveno.net/blog/index.php/post/2013/08/06/Configure-2-factor-Yubikey-authentication-for-Debian-%3A-the-easiest-way
Other Debian packages
libauth-yubikey-decrypter-perl - yubikey token output decryptor libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware yhsm-daemon - YubiHSM server daemon yhsm-tools - Common files for YubiHSM applications yhsm-validation-server - Validation server using YubiHSM yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys python-yubico-tools - Tools for Yubico YubiKeys libykclient3 - Yubikey client library runtime libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens yubikey-server-c - Yubikey validation server yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens yubiserver - Yubikey OTP and HOTP/OATH Validation Server libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations