Yubikey is a device that acts as a USB Keyboard and provides secure authentification by a one-time password algorithm. The Yubikey is what is known as a security token. The device creates a 128 bit string of characters that acts as a password. It draws power from the USB port and does not contain batteries or use other power supplies. Since it acts as a USB keyboard, there is no software to accompany it.
It measures 18 x 45 x 2 mm in dimensions and weighs 2 grams.
Yubikey transmits a 44-character string. This string consists of the unique public ID (12 characters) in plaintext and the OTP (32 characters or 128 bit / 16 byte), which is encrypted using the key-specific secret 128-bit AES-cypher. Both are encoded with ModHex. The OTP contains the following information in that order:
- 6 byte unique secret ID
- 2 byte session counter
- 3 byte timecode
- 1 byte token counter
- 2 bytes of pseudo-random values
- 2 byte CRC-16 checksum
The public and secret ID and the AES-cypher are assigned to a Yubikey by Yubico before shipment. These informations can be overwritten. It is not possible to retrieve the secret ID and the cypher from a Yubikey.
The session counter is stored in non-volatile memory and increments every time the Yubikey is powered up. It counts from 1 to 65,536. once it reached its limit, the Yubikey's corresponding configuration dies and is no longer able to generate OTPs until you reinitialize this configuration slot.
The timecode starts at 1 once the Yubikey is powered. It is incremented by an 8 Hz internal clock and counts from 1 to 16,777,216 which gives it a runtime of 24.27 days. When it reaches its limit, the session is terminated and no more OTPs can be generated.
The token counter starts at 1 once the Yubikey is powered. It increments by 1 every time an OTP is generated up to 256, then it wraps back to 1. It is important to note, that the token counter is not the limiting factor in a session, it is the timestamp that limits a session.
The pseudo-random bytes are provided by a free-running oscilator to add entropy to the plaintext.
The CRC (cyclic redundancy check) is added to ensure the integrity of the submitted information.
ModHex is a substitution cypher designed for hexadecimal strings. It was created by Yubico to ensure, that Yubikeys generate valid OTPs regardless of the active keyboard layout.
This is the substitution table:
Hex: 0 1 2 3 4 5 6 7 8 9 a b c d e f ModHex: c b d e f g h i j k l n r t u v
Basically any unspecified character will be encoded as c, not just 0.