Loading Symantec VIP Access credentials onto Yubikeys

Summary

You can generate Symantec VIP Access credentials and load them onto any Yubikey that supports TOTP or HOTP (i.e. any Yubikey that isn't blue).

If you don't already have a Yubikey, you might also consider a Symantec VIP Hardware Authenticator which is less than half the price of the Yubikey I used - but I already have the Yubikey and the Hardware Authenticator doesn't ship to the UK

TOTP vs HOTP

The codes generated by the Symantec VIP Access phone app (and the likes of Google Authenticator) are TOTP codes - the code depends on the time. The other option is HOTP which uses a counter instead - this is what the Symantec VIP Hardware Authenticator does, and simplifies things on devices like the Yubikey that don't have built-in clocks.

Here are the main differences:

TOTP HOTP
  • Based on time - new code every 30 seconds
  • Requires a program on your computer - cannot use Yubikey's keyboard emulation
  • Can be backed up at creation time
  • Based on counter - new code every button press
  • Yubikey keyboard emulation works - no software needed
  • More difficult to back up, as counter changes on every code use

If you choose TOTP

  • Install python-vipaccess with pip3 install python-vipaccess and yubioath with sudo apt-get install yubioath-desktop

  • Execute python-vipaccess from wherever pip installed it (in my case ~/.local/bin/vipaccess) like so:

$ ~/.local/bin/vipaccess provision -p
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
    otpauth://totp/VIP%20Access:VSST89795985?secret=KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ&digits=6&algorithm=SHA1&issuer=Symantec&period=30
This credential expires on this date: 2023-03-29T16:24:42.226Z

You will need the ID to register this credential: VSST89795985

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool    -b --totp KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ  # output one code
    oathtool -v -b --totp KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ  # ... with extra information

This gives you the TOTP secret and token ID. If you want to back up the credential or also load it into a tool like Google Authenticator, now is the time; to generate a QR code, see the python-vipaccess README

  • Then simply load the secret onto your Yubikey and test as follows:
$ read -p "Enter the secret: " totpsecret
Enter the secret: KVIMXW236KKUVMSVNYKZOBFPTWMKMPKZ

$ yubioath put --name VSST89795985 --oath-type totp --touch "$totpsecret"

$ yubioath
VSST89795985  [Touch credential]

$ yubioath show VSST89795985
Touch your YubiKey...
VSST89795985      857363

$ unset totpsecret

We use read above to avoid saving the secret into our bash history. You can also use yubioath-gui if you prefer a GUI.

Calling yubioath from python

If you've got a python script to log into something, and you want to call yubioath from it, you can do it like so:

#!/usr/bin/env python3
import subprocess

keyId = "VSST89795985"
pintoken = ''

while pintoken == '':
    ykResult = subprocess.run(["yubioath", "show", keyId], stdout=subprocess.PIPE)
    if ykResult.returncode == 0:
        pintoken = str(ykResult.stdout, 'utf-8').split()[-1]
    else:
        pintoken = input('Enter token manually, or press enter to retry yubikey: ')

print("Token:", pintoken)

The while loop ensures, if the code ran yubioath stage before you put your key in, you can put it in and try again.

If you choose HOTP

  • Install python-vipaccess with pip3 install python-vipaccess and Yubikey Manager with sudo apt-add-repository ppa:yubico/stable && sudo apt update && sudo apt install yubikey-manager-qt

  • Execute python-vipaccess from wherever pip installed it (in my case ~/.local/bin/vipaccess) like so:

$ ~/.local/bin/vipaccess provision -p -t FT12
Generating request...
Fetching provisioning response...
Getting token from response...
Decrypting token...
Checking token...
Credential created successfully:
    otpauth://hotp/VIP%20Access:FT1263782685?secret=KXVJPCQHMKLRP5FOPBW43OTV2424CXVY&digits=6&algorithm=SHA1&issuer=Symantec&counter=2
This credential expires on this date: 2023-03-29T18:00:44.119Z

You will need the ID to register this credential: FT1263782685

The prefix comes from Symantec's list of prefixes listed as 'event based' - Prefixes like UBHE also work.

  • Remember to note down the ID - FT1263782685 in the example above - as you'll need it to make use of your new credential.

  • The Yubikey's keyboard-emulation has two 'slots' - Slot 1 is triggered by a short press, and comes factory-configured for Yubico OTP. Slot 2 is triggered by a long press, and from the factory is empty; below, we confirm slot 2 is empty and load our credential into that slot. If a slot isn't empty, don't overwrite it unless you're happy to lose whatever credential is in that slot

$ ykman otp info
Slot 1: programmed
Slot 2: empty

$ read -p "Enter the secret: " hotpsecret
Enter the secret: KXVJPCQHMKLRP5FOPBW43OTV2424CXVY

$ ykman otp --counter 2 hotp 2 "$hotpsecret"
Program a HOTP credential in slot 2? [y/N]: y

$ unset hotpsecret

You can use ykman-gui to do the same thing with a GUI, if you prefer.

  • Now when you long-press (short press if you used slot 1) your Yubikey will emulate a keyboard entering a 6-digit code.

  • Test your token at Symantec's website to confirm you've set it up right.

Published

29 March 2020

Tags

website@mjt.me.uk · Home · Archive · Tags

Jekyll ·Jekyll Bootstrap ·Twitter Bootstrap