Expand description
YubiKey HOTP challenge — hardware one-time-password bootstrapping.
The YubiKey’s slot 2 (long-press) can be programmed to emit RFC 4226 HOTP codes via USB HID (it appears as a USB keyboard). This challenge uses that to bootstrap headless devices without any secrets stored in plaintext on the device itself.
§Enrollment flow
Admin dashboard CA Headless router
| | |
|--- provision seed -------> | |
| (stored in CA config) | |
| | |
|--- ykpersonalize --------> YubiKey |
| (seed programmed) | |
| | |
(YubiKey shipped / plugged into headless router) |
| |
|<--- NEW request -------- |
|--- NewResponse --------> |
| |
|<--- CHALLENGE (begin) -- |
|--- "Press YubiKey..." -> |
| |
(operator presses YubiKey button)
| |
|<--- CHALLENGE (otp) ---- | (USB HID → stdin capture)
|--- Approved / Issued --> |§HOTP algorithm (RFC 4226)
HOTP(K, C) = Truncate(HMAC-SHA1(K, C)) mod 10^digits
- K: shared secret (seed, 20+ bytes recommended)
- C: 8-byte big-endian counter — incremented after each valid code
- Lookahead window (default 20): handles button presses that weren’t captured
Structs§
- Yubikey
Hotp Challenge - NDNCERT challenge that verifies a YubiKey HOTP code.