The other OTP application configurations (Yubico OTP, OATH HOTP, and static password) require the user to activate the configured slot (by touching the YubiKey or scanning it with an NFC reader) in order to generate and submit the password from the YubiKey to a host device. Challenge-response, on the other hand, begins with a “challenge” that a host sends to the YubiKey. The YubiKey receives the challenge (as a byte array) and “responds” by encrypting or digesting (hashing) the challenge with a stored secret key and sending it back to the host for authentication.
Challenge-response is flexible. It can be used in single and multi-factor authentication for logging into applications or devices, and validation can take place on a host device itself or on a validation server on an internal or external network. The SDK supports all of these scenarios.
To implement challenge-response authentication with a .NET application, the following must occur:
A slot on the YubiKey must be configured with a secret key and encryption/hashing algorithm.
The application must be able to send challenges to and receive responses from a YubiKey.
A copy of the secret key must be shared with the validating party.
The validating party must be able to validate responses and pass the result back to the application.
All YubiKey-host communication for challenge-response is done via the HID communication protocol. Therefore, challenge-response authentication will only work when a YubiKey is physically plugged into a host over USB or Lightning. Challenges and responses cannot be communicated wirelessly with NFC.
Supported challenge-response algorithms
The .NET SDK and the YubiKey support the following encryption and hashing algorithms for challenge-response:
For Yubico OTP challenge-response, the key will receive a 6-byte challenge. The YubiKey will then create a 16-byte string by concatenating the challenge with 10 bytes of unique device fields. For Yubico OTP challenge-response, these 10 bytes of additional data are not important. They are merely added as padding so that the challenge may be encrypted with a 16-byte key using the AES encryption algorithm. (AES requires that data be encrypted in blocks of the same size as the encryption key.)
For HMAC SHA1 challenge-response, the key will receive a challenge of up to 64 bytes in size, which will be digested (hashed) with a 20-byte secret key.
Hashing/digesting is a one-way operation, meaning that once a block of data is hashed, it cannot be converted back into its original form. Encryption, on the other hand, is a two-way operation. When a block of data is encrypted, it can be decrypted back into its original form at any time. This is an important distinction because the validating party will have to respond differently to Yubico OTP responses (encrypted) and HMAC SHA1 responses (hashed). For Yubico OTP, the validating party will have to decrypt the response and compare the result with the original challenge. For HMAC SHA1, the validating party will have to perform the same hashing operation with the original challenge and compare the result to the response received from the YubiKey.
Challenge initiation and authentication
The challenge-response process works as follows:
The YubiKey is plugged into the host.
The application on the host sends a challenge to a specific slot of the YubiKey via the SDK.
The YubiKey receives the challenge and encrypts/digests it with the secret key and encryption/hashing algorithm that the slot was configured with.
The YubiKey sends the response back to the host, and the application receives it as a string of numeric digits, a byte string, or a single integer (as determined by the SDK).
The application sends the response to the validating party. For Yubico OTP challenge-response, the response must be decrypted using the YubiKey’s unique secret key. For HMAC SHA1 challenge-response, the validating party must digest the challenge with the secret key using the same HMAC SHA1 algorithm.
For Yubico OTP, if the decrypted response matches the original challenge that was sent to the YubiKey, authentication was successful, and the user is logged in. (For Yubico OTP challenge-response, the 6-byte challenge must match the first 6 bytes of the decrypted response–the other bytes are ignored.) For HMAC SHA1, if the response matches the server's digested challenge, authentication was successful, and the user is logged in.
For the authentication process to succeed, the size of the challenge must align with the algorithm that the YubiKey was configured with. Similarly, the validating party must decrypt the response using the same algorithm that the challenge was encrypted with.
The SDK’s challenge-response functionality centers around the following two methods:
ConfigureChallengeResponse() allows you to configure an OTP application slot on a YubiKey to receive a challenge from a host and process it based on a specific algorithm and secret key. CalculateChallengeResponse() allows a host to send a challenge to a YubiKey and then receive the response from the YubiKey.
When calling ConfigureChallengeResponse(), you must set the secret key for the slot, which can be generated randomly via GenerateKey() or set explicitly with UseKey(). If you choose to generate a key, that key must be shared with the validating party before being cleared from memory. Secrets cannot be extracted from the YubiKey once configured.
You must also set the algorithm that will be used to respond to challenges by calling either UseHmacSha1() or UseYubiOtp(). For example, if you call UseHmacSha1(), the YubiKey will encrypt challenges it receives with the secret key via the HMAC SHA1 algorithm.
It’s important that the size of your secret key matches the size that is expected for the algorithm you chose (16 bytes for Yubico OTP and 20 bytes for HMAC SHA1). For example, if you call UseYubiOtp(), the key that you set with UseKey() must be 16 bytes long. Otherwise, the YubiKey will not be able to respond to a challenge correctly. The SDK will throw an exception if the key length is incorrect for the chosen configuration.
The ConfigureChallengeResponse class also provides optional methods for requiring users to touch the YubiKey to initiate the challenge-response operation (UseButton()) or enabling the key to process HMAC SHA1 challenges of less than 64 bytes (UseSmallChallenge()).
UseSmallChallenge() is included for compatibility with legacy systems whose implementations break data sets into multiple blocks, which often results in the last element being smaller than 64 bytes.
For a full list of the methods in the ConfigureChallengeResponse class, please see the API documentation.
For an example of how to use ConfigureChallengeResponse(), please see How to program a slot with a challenge-response credential.
In order for a host to send a challenge to a YubiKey and receive a response, an application on the host must call CalculateChallengeResponse(). With this method, you can:
send the challenge to the YubiKey as a byte array with UseChallenge().
send a message to the user to notify them to touch the YubiKey to initiate the challenge-response operation with UseTouchNotifier(). This is only needed if the YubiKey slot is configured to require the button touch with UseButton().
receive the response from the YubiKey. The response can be received as a string of numeric digits via GetCode() (for cases when you want to treat the challenge-response call as an OTP), as a byte string via GetDataBytes() (for cases when you want to receive the raw bytes, which have not been interpreted in any way), or as a single 32-bit integer via GetDataInt() (for cases when you are expecting a 32-bit response).
The size of the challenge sent to the YubiKey with UseChallenge() must correspond to the configuration of the YubiKey slot. If the slot is configured to perform Yubico OTP, the challenge must be 6 bytes long. If the slot is configured for HMAC SHA1, the challenge must be 64 bytes long. However, if the slot has been configured with UseSmallChallenge(), an HMAC SHA1 challenge smaller than 64 bytes is acceptable. The SDK will throw an exception if the challenge size does not match the YubiKey slot's configuration.
Alternatively, the application can send a TOTP challenge to the YubiKey with UseTotp(). The time period of the TOTP challenge (i.e. how long a TOTP is valid for) can be set via WithPeriod() (the default period is 30 seconds). TOTP challenges are intended to be used with keys configured for HMAC SHA1 challenge-response only. With UseTotp(), the application will send the current time as a challenge (instead of a byte array specified with UseChallenge()) to the key, which will digest it with the stored secret key. The SDK will throw an exception if you call both UseTotp() and UseChallenge().
For a full list of the methods in the CalculateChallengeResponse class, please see the API documentation.
For an example of how to use CalculateChallengeResponse(), please see How to calculate a response code for a challenge-response credential.