-------------------------------------------------------------------------------
Yubikey

A hardware USB stick that acts like a single button keyboard.
When pressed it outputs a One Time Password or Static Password
(two can be programed for short or long key presses)

You cannot upgrade the firmware on the keys at all, by design. The only thing
you can do is push various configuration settings to it, and then only if
there's no password set on the configuration.

The output is encrypted using an internal AES key, that key can only
be set, never read, which is the Yubikey major security design feature.


Main forum for questions and answers
  http://forum.yubico.com/viewtopic.php

Alternative yubikey generators
Yubidrone -- app to generate yubukey sequences on android mobiles.
  http://forum.yubico.com/viewtopic.php?f=4&t=405

-------------------------------------------------------------------------------
Software...

for kubikey testing

  svn checkout http://yubico-c.googlecode.com/svn/trunk/ yubico-c
  cd yubico-c
  autoreconf --install
  ./configure
  make check install       # installs into /usr/local

  svn checkout http://yubikey-personalization.googlecode.com/svn/trunk/ \
      yubikey-personalization
  cd yubikey-personalization
  autoreconf --install
  ln -s /lib/libusb-1.0.so.0 /lib/libusb-1.0.so   # stupid configure!
  ./configure
  make check

yubikey validation server....

  yum install yubikey-ksm.noarch yubikey-val.noarch

The last use perl/php scripts with dependancies on the mcrypt libraries to do
the crypto aspects. They provide good code examples of validating yubikey
output.

Some type of database for key validation is important, as it not only provided
the AES key neededto check the key but also to store usage and session
counters, to prevent replay attacks.  Ideally only one such validation server
should be used for a particular yubikey.

-------------------------------------------------------------------------------
ModHex  (Output by Yubikey's)

Reason... Keyboards do not know its keymaps! It only sends scancodes, not
keys!  However all keyboards map certain keys to certain scancodes and these
are what yubikeys use.  Basically it usually transmits only certain keys.

So it uses a simple substitution cypher for the yubikey output

Hexadecimal:  0123 4567 89ab cdef
ModHex Code:  cbde fghi jkln rtuv

Further 'c' is most ambigious in keyboards,
so any other key should map to '0' when reading a yubikey

As such
  bde fghi jkln rtuv -maps-> 0x1 - 0xf
And all other characters (including 'c') maps to 0x0

If you want a 12 character modhex english word
for your public 'fixed string', you can use this...
   egrep '^[cbdefghijklnrtuv]{12}$' /usr/share/dict/words

For example:   freethinking   fiddledeedee   belligerence  jitterbugged
               lightningbug   truthtelling   unvirginlike  enlightening
               uninferrible   unfriendlike   tightfitting  nightclubber

I rather like:  intelligence

OR  get two words to concatanate into a word (no spaces)...

     cute beginner    inbred knight

NOTE the public fixed string, does not have to match the internel UID
which is simply a binary encoding.

The program "modhex" can be used to convert to and from modhex to
hex, or ascii.  Does not however allow raw binary input!

-------------------------------------------------------------------------------
yubikey OTH

Yubikey OTP is 16 bytes which equals 32 modhex characters
This is generally proceeded by a 6 byte unencrypted public identity.
So the complete OTP is  12 + 32 => 44 modhex charcaters.

Only the last 32 characters are decoded by the AES key.

Example

ykpersonalize  -2 -a1b7c9370433d06a9bdec2500c1a0dffc -ofixed=m:inteligence \
   -ouid=h:112233445566 -v -osend-ref -ooath-fixed-modhex -o-static-ticket \
   -o-send-ref -o-strong-pw1 -o-strong-pw2 -o-man-update

Note that some fields expect hexidecimal, others modhex encoding.
However you can specify the encoding by prefixing with h: or m: resp.
The AES key (-a) is always in hexadecimal

The option  -o-...  means turn off that flag
the above settings ensures that a OTH sequence is actually being set.

Output (long keypress)
  bbddeeffgghhehcvhebnurgnibjlbvhurchinbgvjhlh
  bbddeeffgghhkugfgdeiijlruketrthkejfvjvijcild
  bbddeeffgghhvnnerugukhklgfugkccrcvcfvlvdukte

Using the last key from the above...

Fixed identity part (for AES key lookup)
  bbddeeffgghh  ->  112233445566

Decrypt (with or witout fixed part)
  ykdebug  1b7c9370433d06a9bdec2500c1a0dffc vnnerugukhklgfugkccrcvcfvlvdukte

  Modhex -> hexadecimal -> binary -> AES decrypt
     11 22 33 44 55 66,  01 00,  d1 58,  67,  04,   db 16,   39 b3

  Struct:
    secret uid: 11 22 33 44 55 66
    counter: 1 (0x0001)
    timestamp (low): 22737 (0x58d1)
    timestamp (high): 103 (0x67)
    session use: 4 (0x04)
    random: 5851 (0x16db)
    crc: 45881 (0xb339)
    ...
    crc check: ok

check CRC, - did key decrypt properly
check secret ID UID against database - who is realy logging in
verify timestamp counter fields against replay
optionally check timer and time delta from previous request

NOTE the fixed string is optional, but then all uids will use same AES key.
The uid does not have to match the fixed string and is used to actually
determines who is logging in.

-------------------------------------------------------------------------------
Static Password ????????

You can either output a static modhex encrypted string
OR you can somehow set the yubikey to output english keyboard scancodes
for any key sequence you like.   How????

# Static encrypted string

ykpersonalize  -2 -a1b7c9370433d06a9bdec2500c1a0dffc -ofixed=h:112233445566 \
   -ouid=h:112233445566  -ostatic-ticket

output...
   ????

-------------------------------------------------------------------------------
Your own OpenID server

Download Community-ID and install:
http://source.keyboard-monkeys.org/projects/show/communityid


Get yourself a Yubico API key: https://api.yubico.com/get-api-key/
Edit the config.php generated during the install:
   #
   #  -------  YUBIKEY ------------
   #
   $config['yubikey']['enabled']      = true;

   # Set to true to force utilization of the Yubikey, instead of passwords.
   # Only use it for newer installations, as current existent users won't be able to log-in.
   $config['yubikey']['force']        = false;

   $config['yubikey']['api_id']       = '1234';
   $config['yubikey']['api_key']      = '1Ab+CdEfgHi/jkl2M3nOp4qrsT5=';

For to factor authentication there is a 'diff' to apply
  http://source.keyboard-monkeys.org/attachments/download/136/twofactor-password-yubikey.diff

See bottom of http://conf.linux.org.au/wiki/Yubikey

-------------------------------------------------------------------------------
PAM
  Add to auth-common
    auth sufficent pam_yubikey.so

Also see two-factor authentication patch
That is you login using    "password OTPpassword"

Patch
  http://git.longlandclan.yi.org/?p=overlays/yubikey.git;a=blob;f=sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch
Guide
  http://stuartl.longlandclan.yi.org/blog/2011/02/17/yubikey-ebuilds-and-patches-for-gentoo/


-------------------------------------------------------------------------------
Autolock (Screensave) on Key remove..

http://forum.yubico.com/viewtopic.php?f=11&t=246

-------------------------------------------------------------------------------