Pilot service for Yubikey two-factor authentication

January 29, 2016

Modified Hexadecimal encoding – a.k.a. ‘Modhex’ – and Yubikey public id’s

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 4:42 pm
Tags: ,

Recall from an earlier post What is a Yubikey, and how does it work? that, in its standard mode and using its default settings, a Yubikey produces a 44 character text string in which the first 12 characters are a public id string, and the final 32 characters are an AES-encrypted OTP. As an example:

fifjgjgkhchbirdrfdnlnghhfgrtnnlgedjlftrbdeut
<-12 chars-><---------- 32 chars ---------->

where the public id of the Yubikey in question is fifjgjgkhchb.

What are the characters here? And what do they represent?

Well: the Yubikey is ‘pretending to be’ a USB keyboard. Keyboards send their keystrokes via a sequence of ‘scan codes’, rather than actual characters; the translation from scan codes to character representation is done by the operating system. For the Yubikey to work, it is critical that the same character representation is generated whether the Yubikey is inserted into a UK or US computer with a QWERTY keyboard layout, a French computer with an AZERTY layout, or a German keyboard with a QWERTZ layout.

To achieve this, the Modified Hexadecimal encoding – a.k.a. ‘Modhex’ – was devised by Yubico. The idea is to use a set of alpha characters which are known to be represented by the same scan codes on all of the above keyboards, and to map those onto the normal hexadecimal characters which we want to encode. The mapping is as follows:

Hex 0 1 2 3 4 5 6 7 8 9 A B C D E F
Modhex c b d e f g h i j k l n r t u v

We can see, for example, that the Yubikey public id fifjgjgkhchb above (which is in Modhex) in fact translates to the hex sequence 474858596061.

Normally all this is transparent, and all just works. However, for administration purposes, it has an important use in the identification of the public id string of any particular Yubikey from the serial number (physically stamped on the key both as a decimal string, and also as a QR code) of the Yubikey.

Example: suppose our Yubikey is stamped with the physical serial number ‘0219 8612’. Now, 02198612 (dec) = 218C584 (hex). Padding that out to 12 characters, we get 000000218C54 (hex) = ccccccdbjrgf (modhex). And ccccccdbjrgf turns out to be the factory-defined public id of the Yubikey in question.

Theme: Rubric.