YubiKey-Guide | Guide to using YubiKey for GPG and SSH | Cryptography library

 by   drduh Shell Version: Current License: MIT

kandi X-RAY | YubiKey-Guide Summary

kandi X-RAY | YubiKey-Guide Summary

YubiKey-Guide is a Shell library typically used in Security, Cryptography applications. YubiKey-Guide has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

This is a guide to using [YubiKey] as a [SmartCard] for storing GPG encryption, signing and authentication keys, which can also be used for SSH. Many of the principles in this document are applicable to other smart card devices. Keys stored on YubiKey are [non-exportable] (as opposed to file-based keys that are stored on disk) and are convenient for everyday use. Instead of having to remember and enter passphrases to unlock SSH/GPG keys, YubiKey needs only a physical touch after being unlocked with a PIN. All signing and encryption operations happen on the card, rather than in OS memory. New! [drduh/Purse] is a password manager which uses GPG and YubiKey. Security Note: If you followed this guide before Jan 2021, your PUK (Pin Unblock Key) may be set to its default value of 12345678. An attacker can use this to reset your PIN and use your Yubikey. Please see the [Change PUK] #change-puk) section for details on how to change your PUK. If you have a comment or suggestion, please open an [Issue] on GitHub.

            kandi-support Support

              YubiKey-Guide has a medium active ecosystem.
              It has 9664 star(s) with 1038 fork(s). There are 231 watchers for this library.
              It had no major release in the last 6 months.
              There are 22 open issues and 180 have been closed. On average issues are closed in 155 days. There are 4 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of YubiKey-Guide is current.

            kandi-Quality Quality

              YubiKey-Guide has 0 bugs and 0 code smells.

            kandi-Security Security

              YubiKey-Guide has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              YubiKey-Guide code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              YubiKey-Guide is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              YubiKey-Guide releases are not available. You will need to build from source code and install.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of YubiKey-Guide
            Get all kandi verified functions for this library.

            YubiKey-Guide Key Features

            No Key Features are available at this moment for YubiKey-Guide.

            YubiKey-Guide Examples and Code Snippets

            No Code Snippets are available at this moment for YubiKey-Guide.

            Community Discussions


            ECSDA sign with Python, verify with JS
            Asked 2022-Apr-10 at 18:16

            I'm trying to achieve the exact opposite of this here where I need to sign a payload in Python using ECDSA and be able to verify the signature in JS.

            Here is my attempt, but I'm pretty sure I'm missing something with data transformation on either or both ends.

            (Key types are the same as in the answer provided to the question above)

            I've tried some other variations but nothing worked so far.

            (The verification on JS returns False)




            Answered 2022-Apr-10 at 18:16

            The main problem is that both codes use different signature formats:
            sign_payload() in the Python code generates an ECDSA signature in ASN.1/DER format. The WebCrypto API on the other hand can only handle the IEEE P1363 format.
            Since the Python Cryptography library is much more convenient than the low level WebCrypto API it makes sense to do the conversion in Python code.

            The following Python code is based on your code, but additionally performs the transformation into the IEEE P1363 format at the end:

            Source https://stackoverflow.com/questions/71818496


            How to calculate sha 512 hash properly in .NET 6
            Asked 2022-Mar-30 at 04:56

            In .NET 6 code from How can I SHA512 a string in C#?



            Answered 2021-Nov-27 at 16:16

            In my case I was using RNGCryptoServiceProvider in .NET 5 but when I updated to .NET 6 I got the same warning. After reading about it in this issue I changed my code from this:

            Source https://stackoverflow.com/questions/70109573


            Crypto-js encryption and Python decryption using HKDF key
            Asked 2022-Mar-28 at 11:29

            Based on the example provided here on how to establish a shared secret and derived key between JS (Crypto-JS) and Python, I can end up with the same shared secret and derived key on both ends.

            However, when I try to encrypt as below, I cannot find a way to properly decrypt from Python. My understanding is that probably I am messing with the padding or salts and hashes.



            Answered 2022-Mar-28 at 11:29

            The issue is that the key is not passed correctly in the CryptoJS code.

            The posted Python code generates LefjQ2pEXmiy/nNZvEJ43i8hJuaAnzbA1Cbn1hOuAgA= as Base64-encoded key. This must be imported in the CryptoJS code using the Base64 encoder:

            Source https://stackoverflow.com/questions/71632056


            Exception "System.Security.Cryptography.CryptographicException" after Publishing project
            Asked 2022-Mar-19 at 05:01

            Everytime I publish my Blazor Server-project to my website domain, and opening the website, this exception occurs, and there's little to no help Googling it:

            And it says AppState.cs: line 21, so here's the codeline for it:

            This exception is not happening under debugging localhost. When I delete localStorage from the browser on my website, and refreshing, then everything works. But I don't want my customers having this exception and having to tell them to delete the localstorage everytime I'm publishing.

            My Program.cs if necessary:



            Answered 2022-Mar-16 at 13:16

            Try to set Load User Profile to true in your IIS app pool in the advanced settings. see this answer, I hope that will help you!

            Source https://stackoverflow.com/questions/71494715


            Chaum blind signature with blinding in JavaScript and verifying in Java
            Asked 2022-Mar-04 at 16:01

            I'm experimenting with Chaum's blind signature, and what I'm trying to do is have the blinding and un-blinding done in JavaScript, and signing and verifying in Java (with bouncy castle). For the Java side, my source is this, and for JavaScript, I found blind-signatures. I've created two small codes to play with, for the Java side:



            Answered 2021-Dec-13 at 14:56

            The blind-signature library used in the NodeJS code for blind signing implements the process described here:

            No padding takes place in this process.

            In the Java code, the implementation of signing the blind message in signConcealedMessage() is functionally identical to BlindSignature.sign().
            In contrast, the verification in the Java code is incompatible with the above process because the Java code uses PSS as padding during verification.
            A compatible Java code would be for instance:

            Source https://stackoverflow.com/questions/70324926


            KJUR jws jsrsasign: Cannot validate ES256 token on JWT.io
            Asked 2022-Mar-03 at 06:41

            We are trying to make a JWT token for Apple Search Ads using the KJUR jws library. We are using the API documents from Apple:


            We are generating a private key (prime256v1 curve):

            openssl ecparam -genkey -name prime256v1 -noout -out private-key.pem

            Next we are generating a public key from the private key:

            openssl ec -in private-key.pem -pubout -out public-key.pem

            Next we setup the header and payload:



            Answered 2022-Mar-02 at 07:47

            The issue is caused by an incorrect import of the key.

            The posted key is a PEM encoded private key in SEC1 format. In getKey() the key is passed in JWK format, specifying the raw private key d. The PEM encoded SEC1 key is used as the value for d. This is incorrect because the raw private key is not identical to the SEC1 key, but is merely contained within it.

            To fix the problem, the key must be imported correctly. jsrsasign also supports the import of a PEM encoded key in SEC1 format, but then it also needs the EC parameters, s. e.g. here. For prime256v1 aka secp256r1 this is:

            Source https://stackoverflow.com/questions/71307444


            Is it possible to get ISO9796-2 signature with Trailer = 'BC' in Javacard?
            Asked 2022-Feb-24 at 10:46

            I trying to get the RSA signature as described in Annex A2.1 of EMV book 2. As I understand it was described in ISO9796-2 as scheme 1, option 1. So, the resulting signature should contain a Header equal to '6A' and a Trailer equal to 'BC'.

            The algorithms ALG_RSA_SHA_ISO9796 and ALG_RSA_SHA_ISO9796_MR are the only suitable that I could find. But they acting like scheme 1, option 2 with a Trailer equal to '33cc'

            Is it possible to get a signature with Trailer = 'BC'?

            Javacard example code:



            Answered 2022-Feb-24 at 10:46

            You can generate such signature using Cipher.ALG_RSA_NOPAD in decrypt mode.


            Source https://stackoverflow.com/questions/71243483


            How to transfer custom SPL token by '@solana/web3.js' and '@solana/sol-wallet-adapter'
            Asked 2022-Jan-29 at 21:02

            Hello I am trying to transfer a custom SPL token with the solana-wallet adapter. However i am having trouble getting the wallet's secret key/signing the transaction.

            I've looked at these answers for writing the transfer code but i need to get the Singer and i have trouble figuring out how with solana-wallet adapter. These examples hardcode the secret key and since i'm using a wallet extension this is not possible.

            How can you transfer SOL using the web3.js sdk for Solana?

            How to transfer custom token by '@solana/web3.js'

            according to this issue on the webadapter repo https://github.com/solana-labs/wallet-adapter/issues/120 you need to:

            1. Create a @solana/web3.js Transaction object and add instructions to it
            2. Sign the transaction with the wallet
            3. Send the transaction over a Connection

            But i am having difficulty finding examples or documentation as to how to do step 1 and 2.



            Answered 2021-Dec-06 at 13:51

            So i found a way to do this, it requires some cleanup and error handling but allows for a custom token transaction via @solana/wallet-adapter.

            Source https://stackoverflow.com/questions/70224185


            From base64-encoded public key in DER format to COSE key, in Python
            Asked 2022-Jan-01 at 10:34

            I have a base64-encoded public key in DER format. In Python, how can I convert it into a COSE key?

            Here is my failed attempt:



            Answered 2022-Jan-01 at 07:49

            The posted key is an EC key for curve P-256 in X.509 format.

            With an ASN.1 parser (e.g. https://lapo.it/asn1js/) the x and y coordinates can be determined:

            Source https://stackoverflow.com/questions/70542577


            Why are signatures created with ecdsa Python library not valid with coincurve?
            Asked 2021-Dec-25 at 14:41

            I'm switching from the pure Python ecdsa library to the much faster coincurve library for signing data. I would also like to switch to coincurve for verifying the signatures (including the old signatures created by the ecdsa library).

            It appears that signatures created with ecdsa are not (always?) valid in coincurve. Could someone please explain why this is not working? Also, it seems that cryptography library is able to validate both ecdsa signatures and coincurve signatures without issues, consistently.

            What is even more confusing, if you run below script a few times, is that sometimes it prints point 3 and other times it does not. Why would coincurve only occasionally find the signature valid?



            Answered 2021-Dec-25 at 14:41

            Bitcoin and the coincurve library use canonical signatures while this is not true for the ecdsa library.

            What does canonical signature mean?
            In general, if (r,s) is a valid signature, then (r,s') := (r,-s mod n) is also a valid signature (n is the order of the base point).
            A canonical signature uses the value s' = -s mod n = n - s instead of s, i.e. the signature (r, n-s), if s > n/2, s. e.g. here.

            All signatures from the ecdsa library that were not been successfully validated by the coincurve library in your test program have an s > n/2 and thus are not canonical, whereas those that were successfully validated are canonical.

            So the fix is simply to canonize the signature of the ecdsa library, e.g.:

            Source https://stackoverflow.com/questions/70477905

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported

            Install YubiKey-Guide

            To renew or rotate sub-keys, follow the same process as generating keys: boot to a secure environment, install required software and disconnect networking.


            Use man gpg to understand GPG options and command-line flags. To get more information on potential errors, restart the gpg-agent process with debug output to the console with pkill gpg-agent; gpg-agent --daemon --no-detach -v -v --debug-level advanced --homedir ~/.gnupg. If you encounter problems connecting to YubiKey with GPG - try unplugging and re-inserting YubiKey, and restarting the gpg-agent process. If you receive the error, gpg: decryption failed: secret key not available - you likely need to install GnuPG version 2.x. Another possibility is that there is a problem with the PIN, e.g. it is too short or blocked. If you receive the error, Yubikey core error: no yubikey present - make sure the YubiKey is inserted correctly. It should blink once when plugged in. If you still receive the error, Yubikey core error: no yubikey present - you likely need to install newer versions of yubikey-personalize as outlined in [Required software](#required-software). If you receive the error, Yubikey core error: write error - YubiKey is likely locked. Install and run yubikey-personalization-gui to unlock it. If you receive the error, Key does not match the card’s capability - you likely need to use 2048 bit RSA key sizes. If you receive the error, sign_and_send_pubkey: signing failed: agent refused operation - make sure you replaced ssh-agent with gpg-agent as noted above. If you still receive the error, sign_and_send_pubkey: signing failed: agent refused operation - [run the command](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835394) gpg-connect-agent updatestartuptty /bye. If you still receive the error, sign_and_send_pubkey: signing failed: agent refused operation - edit ~/.gnupg/gpg-agent.conf to set a valid pinentry program path, e.g. pinentry-program /usr/local/bin/pinentry-mac on macOS. If you receive the error, The agent has no identities from ssh-add -L, make sure you have installed and started scdaemon. If you receive the error, Error connecting to agent: No such file or directory from ssh-add -L, the UNIX file socket that the agent uses for communication with other processes may not be set up correctly. On Debian, try export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh". Also see that gpgconf --list-dirs agent-ssh-socket is returning single path, to existing S.gpg-agent.ssh socket. If you receive the error, Permission denied (publickey), increase ssh verbosity with the -v flag and ensure the public key from the card is being offered: Offering public key: RSA SHA256:abcdefg…​ cardno:00060123456. If it is, ensure you are connecting as the right user on the target system, rather than as the user on the local system. Otherwise, be sure IdentitiesOnly is not [enabled](https://github.com/FiloSottile/whosthere#how-do-i-stop-it) for this host. If SSH authentication still fails - add up to 3 -v flags to the ssh client to increase verbosity. If it still fails, it may be useful to stop the background sshd daemon process service on the server (e.g. using sudo systemctl stop sshd) and instead start it in the foreground with extensive debugging output, using /usr/sbin/sshd -eddd. Note that the server will not fork and will only process one connection, therefore has to be re-started after every ssh test. If you receive the error, Please insert the card with serial number: * see [using of multiple keys](#using-multiple-keys). If you receive the error, There is no assurance this key belongs to the named user or encryption failed: Unusable public key use gpg --edit-key to set trust to 5 = I trust ultimately. If, when you try the above --edit-key command, you get the error Need the secret key to do this., you can manually specify trust for the key in ~/.gnupg/gpg.conf by using the trust-key [your key ID] directive. If, when using a previously provisioned YubiKey on a new computer with pass, you see the following error on pass insert: ` gpg: 0x0000000000000000: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key ` you need to adjust the trust associated with the key. See the above bullet. If you receive the error, gpg: 0x0000000000000000: skipped: Unusable public key or encryption failed: Unusable public key the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • HTTPS


          • CLI

            gh repo clone drduh/YubiKey-Guide

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Cryptography Libraries


            by dogecoin


            by google


            by brix


            by Ciphey


            by jedisct1

            Try Top Libraries by drduh


            by drduhShell


            by drduhShell


            by drduhJavaScript


            by drduhPython