Yubikey

From YobiWiki
Jump to navigation Jump to search

Yubikey Neo Nano

First time plugged

new full-speed USB device number 31 using xhci_hcd
New USB device found, idVendor=1050, idProduct=0114
New USB device strings: Mfr=1, Product=2, SerialNumber=0
Product: Yubikey NEO OTP+U2F
Manufacturer: Yubico

OTP test

Can be performed without any install as OTP is using the keyboard emulation mode

Parameters
device=neonano
key=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl
identity=ccccccdugjdb
serial=3037217

Authentication Output
h=sznj5f+KKweKLObaoMo44IJMGOM=
t=2015-03-12T19:37:09Z0788
otp=ccccccdugjdbtnglkbibhjkeifunghgngibgfjcunlfl
nonce=a830bdee7aa3735626ea90bcd5b2428c
sl=25
status=OK

Install

For CCID & U2F, one needs some extra steps.
Note that contrary to what is said in Yubico docs, mine had already the mode U2F activated.

To use U2F with Chrome, install FIDO U2F plugin

We need the yubikey neo manager, cf NEO-Manager-Quick-Start-Guide.pdf Install Yubikey neo manager, here yubikey-neo-manager-1.1.0.tar.gz

sudo apt-get install ykneomgr python-pyside yubikey-personalization yubikey-personalization-gui u2f-host
tar yubikey-neo-manager-1.1.0.tar.gz
cd yubikey-neo-manager-1.1.0/scripts
./neoman
Serial: 3037217
FW version: 3.3.0
U2F/FIDO: supported
Change connection mode [OTP+U2F]

We can change its name for sth more convivial
There are three supportes that can be activated:

  • The OTP mode refers to the YubiKey functions the NEO shares with the standard YubiKey, including two Configuration Slots that can be programmed with any two of the following: Yubico OTP (programmed by Yubico in Slot 1, by default), OATH-HOTP, Challenge-Response and Static Password.
  • The CCID Mode refers to the smart card elements on the YubiKey NEO and NEO-n, and includes the NEO applets such as OpenPGP, PIV and YubiOATH.
  • The U2F Mode refers to the Universal 2nd Factor (U2F) functionality of the YubiKey NEO and NEO-n.

Activate all supports:

  • Change connection mode => +OTP +CCID +U2F
  • unplug/wait/replug

Now we see available applets

  • YubiKey OTP
  • YubiOATH
  • Yubico U2F
  • OpenPGP
  • Yubico PIV

pcsc_scan results:

Reader 0: Yubico Yubikey NEO OTP+U2F+CCID 00 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
	YubiKey NEO (PKI)
	http://www.yubico.com/

FIDO U2F test

Test: register


Go to https://demo.yubico.com/start/u2f/neonano

Register:
Create doegox / demodemo

Login Data
username: doegox
password: demodemo

Enroll Data
origin: https://demo.yubico.com
version: U2F_V2
challenge: SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4
appId: https://demo.yubico.com

Response Data
clientData: {"typ":"navigator.id.finishEnrollment","challenge":"SMkZgqF8LYgnhZTQaYcVTZc3DzO8RXY8TfLhveiIQz4","origin":"https://demo.yubico.com","cid_pubkey":""}
registrationData: 0504ceb7c2675e1370b64ec95fabd98c1f68f1dddf706ffc20d56367ae3274717a6ea95259ece26ca7d4c38db3b81c2a7a9b628cdaa6bcc2487d1a04f83e7178a5144067fdcb62dfceb6ebba4e3caf480dcc5f179f8f6f6499e97ba39e079faaea892d6351b7fc2da6c1e5c2511e2c8a1c490e87d20c1bd17613013db45197be3189f93082021c30820106a00302010202047258c2ea300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302b3129302706035504030c2059756269636f205532462045452053657269616c2031343830333332313537383059301306072a8648ce3d020106082a8648ce3d03010703420004a2b039932254319d41fa4854d57ca18deb69cc9b3e4d81ae399f323e81164399ef2a9514673d157cecbfb5f0bcc7890853ee55cf3f1a2066f4d5139b938b310ba3123010300e060a2b0601040182c40a01020400300b06092a864886f70d01010b0382010101bccc1af90b7b957818d555a433716a6016acedcb3132c3410f366164106c23d92ab06c5d1c2cb6929ad42148aa2a3af3ae53893a6aa140cae9326593153d92aa00fd15874b0232944cce90ef1198cedefea087967c6c80e6b50009e41da79c82f256973b0c0eed6a3ddd52b67334c0fcbfe6d88ca753b1927f43342cb6c7b020f92814e21146daad6b48b09041625ff730475d4817e51219c407294068317eb924ff6763a0f34375c7a65383ddb1d4387b028b632a05953ed5f28ead026934fd30f1c050a5293f86c5539bb522196fc51abc6b20a5dfa467c218808a0f108c7ee58a22c86ed078cfd29121a30017d4bb35a627b64a82b7f9512162d90e1512ea3045022100d2648a850920595a0285709ce12f9975d01cc8005d2bddc568855f8aed8926fe02206c15949affb6bc15fb32f3b7f1064202e07ee10008607a6f2e16ad45f611f93b

Attestation Certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1918419690 (0x7258c2ea)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Yubico U2F Root CA Serial 457200631
        Validity
            Not Before: Aug  1 00:00:00 2014 GMT
            Not After : Sep  4 00:00:00 2050 GMT
        Subject: CN=Yubico U2F EE Serial 14803321578
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:a2:b0:39:93:22:54:31:9d:41:fa:48:54:d5:7c:
                    a1:8d:eb:69:cc:9b:3e:4d:81:ae:39:9f:32:3e:81:
                    16:43:99:ef:2a:95:14:67:3d:15:7c:ec:bf:b5:f0:
                    bc:c7:89:08:53:ee:55:cf:3f:1a:20:66:f4:d5:13:
                    9b:93:8b:31:0b
                ASN1 OID: prime256v1
        X509v3 extensions:
            1.3.6.1.4.1.41482.1.2: 
               
    Signature Algorithm: sha256WithRSAEncryption
         bc:cc:1a:f9:0b:7b:95:78:18:d5:55:a4:33:71:6a:60:16:ac:
         ed:cb:31:32:c3:41:0f:36:61:64:10:6c:23:d9:2a:b0:6c:5d:
         1c:2c:b6:92:9a:d4:21:48:aa:2a:3a:f3:ae:53:89:3a:6a:a1:
         40:ca:e9:32:65:93:15:3d:92:aa:00:fd:15:87:4b:02:32:94:
         4c:ce:90:ef:11:98:ce:de:fe:a0:87:96:7c:6c:80:e6:b5:00:
         09:e4:1d:a7:9c:82:f2:56:97:3b:0c:0e:ed:6a:3d:dd:52:b6:
         73:34:c0:fc:bf:e6:d8:8c:a7:53:b1:92:7f:43:34:2c:b6:c7:
         b0:20:f9:28:14:e2:11:46:da:ad:6b:48:b0:90:41:62:5f:f7:
         30:47:5d:48:17:e5:12:19:c4:07:29:40:68:31:7e:b9:24:ff:
         67:63:a0:f3:43:75:c7:a6:53:83:dd:b1:d4:38:7b:02:8b:63:
         2a:05:95:3e:d5:f2:8e:ad:02:69:34:fd:30:f1:c0:50:a5:29:
         3f:86:c5:53:9b:b5:22:19:6f:c5:1a:bc:6b:20:a5:df:a4:67:
         c2:18:80:8a:0f:10:8c:7e:e5:8a:22:c8:6e:d0:78:cf:d2:91:
         21:a3:00:17:d4:bb:35:a6:27:b6:4a:82:b7:f9:51:21:62:d9:
         0e:15:12:ea
-----BEGIN CERTIFICATE-----
MIICHDCCAQagAwIBAgIEcljC6jALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2Vy
aWFsIDE0ODAzMzIxNTc4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEorA5kyJU
MZ1B+khU1XyhjetpzJs+TYGuOZ8yPoEWQ5nvKpUUZz0VfOy/tfC8x4kIU+5Vzz8a
IGb01RObk4sxC6MSMBAwDgYKKwYBBAGCxAoBAgQAMAsGCSqGSIb3DQEBCwOCAQEA
vMwa+Qt7lXgY1VWkM3FqYBas7csxMsNBDzZhZBBsI9kqsGxdHCy2kprUIUiqKjrz
rlOJOmqhQMrpMmWTFT2SqgD9FYdLAjKUTM6Q7xGYzt7+oIeWfGyA5rUACeQdp5yC
8laXOwwO7Wo93VK2czTA/L/m2IynU7GSf0M0LLbHsCD5KBTiEUbarWtIsJBBYl/3
MEddSBflEhnEBylAaDF+uST/Z2Og80N1x6ZTg92x1Dh7AotjKgWVPtXyjq0CaTT9
MPHAUKUpP4bFU5u1IhlvxRq8ayCl36RnwhiAig8QjH7liiLIbtB4z9KRIaMAF9S7
NaYntkqCt/lRIWLZDhUS6g==
-----END CERTIFICATE-----

Test login

Login Data
username: doegox
password: demodemo

Challenge Data
version: U2F_V2
challenge: JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc
keyHandle: Z_3LYt_Otuu6TjyvSA3MXxefj29kmel7o54Hn6rqiS1jUbf8LabB5cJRHiyKHEkOh9IMG9F2EwE9tFGXvjGJ-Q

Response Data
clientData: {"typ":"navigator.id.getAssertion","challenge":"JRrh04hHKIxAuLk7SXSRQPwqK4994NQR0EfWIzY4wgc","origin":"https://demo.yubico.com","cid_pubkey":""}
signatureData: AQAAAAEwRAIgLrqKb81ePH9jcIGFDjyEWwc5p4jJV80IpxGY8lw4lfMCIFR36WIIpcXWYBpq6W9VVUud9pE19k09do8KKEpm1kij

Authentication Parameters
touch: true
counter: 1

Misc

Other Debian packages

libauth-yubikey-decrypter-perl - yubikey token output decryptor
libauth-yubikey-webclient-perl - Perl module to authenticate Yubikey against the Yubico Web API
python-pyhsm - Python code for talking to a Yubico YubiHSM hardware
yhsm-daemon - YubiHSM server daemon
yhsm-tools - Common files for YubiHSM applications
yhsm-validation-server - Validation server using YubiHSM
yhsm-yubikey-ksm - Yubikey Key Storage Module using YubiHSM
python-yubico - Python code for talking to Yubico YubiKeys
python-yubico-tools - Tools for Yubico YubiKeys
libykclient3 - Yubikey client library runtime
libpam-yubico - two-factor password and YubiKey OTP PAM module
yubikey-ksm - Key Storage Module for YubiKey One-Time Password (OTP) tokens
yubikey-server-c - Yubikey validation server
yubikey-val - One-Time Password (OTP) validation server for YubiKey tokens
yubiserver - Yubikey OTP and HOTP/OATH Validation Server
libapache2-mod-authn-yubikey - Yubikey authentication provider for Apache
libu2f-server0 - Universal 2nd Factor (U2F) server communication C Library
u2f-server - Command line tool to do Universal 2nd Factor (U2F) operations