Yubico Yubikey 4 (U2F) compatibility issue w 5.12 [SOLVED]

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
Dukeswharf
Posts: 20
Joined: Mon Nov 08, 2010 6:33 am

Yubico Yubikey 4 (U2F) compatibility issue w 5.12 [SOLVED]

Post by Dukeswharf » Mon Jul 04, 2016 3:44 am

OS: Windows 10 Pro
Sandboxie version: 5.12 (64-bit)
Browser: Chrome Version 51.0.2704.106 m (64-bit)
Yubico device: Yubikey 4

Hi,

Recent attempts, as of yesterday, to log into my Google account using my Yubikey U2F device for 2-factor authentication, continually failed. So much so that I contacted Yubico to request a replacement key.

They (Yubico support) directed me to https://demo.yubico.com/u2f to test my key. Of course that failed as well, until I removed Chrome from loading inside Sandboxie, then both 2-factor authentication on Google and registration at demo.yubico worked as expected.

Is this a known issue and if so, is there an eta on its resolution?

Duke
Duke

Dukeswharf
Posts: 20
Joined: Mon Nov 08, 2010 6:33 am

Re: Yubico Yubikey 4 (U2F) compatibility issue with 5.12

Post by Dukeswharf » Mon Jul 04, 2016 5:14 am

Note:

Upgrading to version 5.13.1 did not resolve the issue either.
Duke

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area

Re: Yubico Yubikey 4 (U2F) compatibility issue with 5.12

Post by Craig@Invincea » Mon Jul 04, 2016 9:40 am

There is no issue. I'm assigned an Invincea Yubikey for SBIE and LP. I use it daily.

In 5.12 or the beta 5.13.1

I just used it this morning to log on my Invincea laptop with my LP vault on that machine. Both In SBIE and outside of SBIE.

You should always do a reset of yubi key outside of the sandbox as that needs to communicate with the yubikey driver on the host.
This is impossible within the sandbox for security reasons [modifying settings of a driver, installations of a driver in a sandbox is not permitted.].

Otherwise, I would direct you back to LP and Yubikey.

Processes like this as well as updates, should be done that way.

You Then use yubikey / browser as normal in the sandbox.

Using LP 4.1.17. Yubikey software installed on the host. SBIE 51.2 Win 10. Chrome 64.

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area

Re: Yubico Yubikey 4 (U2F) compatibility issue with 5.12

Post by Craig@Invincea » Mon Jul 04, 2016 9:43 am

Dukeswharf wrote:Note:

Upgrading to version 5.13.1 did not resolve the issue either.
I would refer you back to LP/Yubikey. Unless the change logs state we addressed a problem you're having, why would you complicate matters and do that by downgrading? Again, There is zero issue with yubikey and LP.

Maybe reinstall the key driver on your host? Reinstall LP and the extension? Reinstall Chrome? Confirm that all works out side the sandbox.

Then use the key as normal from within the sandbox. Again, there is no issues here. Any resets to the key, browsers, extension, etc.etc. should be done outside the sandbox. This goes for installing any related programs such as LP and extensions, they should not be installed in the sb, only on the host.

Dukeswharf
Posts: 20
Joined: Mon Nov 08, 2010 6:33 am

Re: Yubico Yubikey 4 (U2F) compatibility issue w 5.12 [SOLV

Post by Dukeswharf » Mon Jul 04, 2016 10:20 am

Hi Craig,

This issue is Not solved!

I have 4+ year old Yubikey, which I use to log into Lastpass, which works with Chrome in or out of Sandboxie. And I have a Yubikey 4 (U2F) key, purchased in December 2015, that definitely doesn't work if Chrome is run inside Sandboxie.

If I check my U2F key at demo.yubico.com/u2f on Chrome, running inside Sandboxie (5.13.1), I get:
Traceback (most recent call last):
File "/root/python-u2flib-server-demo/examples/yubiauth_server.py", line 161, in __call__
raise Exception("FIDO Client error: %s" % error)
Exception: FIDO Client error: 5 (TIMEOUT)
But if I do the same with Chrome running outside of Sandboxie, I get:
Verified Device
Yubikey 4

Login Data
username: Dukeswharf
password:

Registration Data
origin: https://demo.yubico.com
version: U2F_V2
challenge: F6jd192odQ_tS8gfeUvD3O1vE5aRzBbKnmdeOmuqdRg
appId: https://demo.yubico.com

Response Data
clientData: {"typ":"navigator.id.finishEnrollment","challenge":"F6jd192odQ_tS8gfeUvD3O1vE5aRzBbKnmdeOmuqdRg","origin":"https://demo.yubico.com","cid_pubkey":"unused"}
registrationData: 0504ca1328100c9bc96077d28ab25e94cd286b27226f703a2ff91f59ceeb799f0a09526f19eab109c5237b24736021dea23d336cdf20e42574be0cbc923750ca65cd402ba0128edf989169db8d0253ea9e0f5984497df761ea59ef3be341603c9c7e141735d41d2f4ae6f935f5e66a1b5ab811da6b6308508cb770538a55159ed2b27d308202443082012ea00302010202045562bea0300b06092a864886f70d01010b302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a302a3128302606035504030c1f59756269636f205532462045452053657269616c20313433323533343638383059301306072a8648ce3d020106082a8648ce3d030107034200044b331f773d8144b9995cbe4585517e17583aa47623695cbe85ac482c8019f2c9b9467ae045b0e66f131b2ea3243c91fda602e318f3fc5d8d2a7abae72bd14309a33b3039302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e353013060b2b0601040182e51c020101040403020520300b06092a864886f70d01010b0382010100ac16d9b36eb6b3a9b76d7594b34f59f4f73edbc9fdeb2935eb6b451cabf41d25d3e71614d7472604ca72a578e323edb76004685f05e7d1b9be05db6e9440fac5cfc932a6cafae85299772edb027820203cd4141d3eeb6f6a2ce99e3957803263abab8d6ec480a7df084ad2cba7b7d6d77c94c3ebc0b166f96057caf5fe3a631ea26a433762a36fbecf4cf44509625fd5af1049aa7c8bc7689a6659e9af5de8f0d72c28825174c50e06ab7f6a0790837b6db32abfdcbca835cbbb090ef1f0d99e0869bfe9e56764c4230e6c057729b010de0ec5f9cce4c91c2826218ea8081abb969151ec16725af2a8d95e7795bcaa227a9b944320c427619caaf854d98298d730440220620f4bac3132aa633487b7d7eb6b4eca2b87d0cae719a85054737a93d4b0232802206ccb3d87e673c4123518b73eb87e370eaa809379a1cb9ba21a3ed0fdf91afa2b

Attestation Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1432534688 (0x5562bea0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Yubico U2F Root CA Serial 457200631
Validity
Not Before: Aug 1 00:00:00 2014 GMT
Not After : Sep 4 00:00:00 2050 GMT
Subject: CN=Yubico U2F EE Serial 1432534688
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4b:33:1f:77:3d:81:44:b9:99:5c:be:45:85:51:
7e:17:58:3a:a4:76:23:69:5c:be:85:ac:48:2c:80:
19:f2:c9:b9:46:7a:e0:45:b0:e6:6f:13:1b:2e:a3:
24:3c:91:fd:a6:02:e3:18:f3:fc:5d:8d:2a:7a:ba:
e7:2b:d1:43:09
ASN1 OID: prime256v1
X509v3 extensions:
1.3.6.1.4.1.41482.2:
1.3.6.1.4.1.41482.1.5
1.3.6.1.4.1.45724.2.1.1:
...
Signature Algorithm: sha256WithRSAEncryption
ac:16:d9:b3:6e:b6:b3:a9:b7:6d:75:94:b3:4f:59:f4:f7:3e:
db:c9:fd:eb:29:35:eb:6b:45:1c:ab:f4:1d:25:d3:e7:16:14:
d7:47:26:04:ca:72:a5:78:e3:23:ed:b7:60:04:68:5f:05:e7:
d1:b9:be:05:db:6e:94:40:fa:c5:cf:c9:32:a6:ca:fa:e8:52:
99:77:2e:db:02:78:20:20:3c:d4:14:1d:3e:eb:6f:6a:2c:e9:
9e:39:57:80:32:63:ab:ab:8d:6e:c4:80:a7:df:08:4a:d2:cb:
a7:b7:d6:d7:7c:94:c3:eb:c0:b1:66:f9:60:57:ca:f5:fe:3a:
63:1e:a2:6a:43:37:62:a3:6f:be:cf:4c:f4:45:09:62:5f:d5:
af:10:49:aa:7c:8b:c7:68:9a:66:59:e9:af:5d:e8:f0:d7:2c:
28:82:51:74:c5:0e:06:ab:7f:6a:07:90:83:7b:6d:b3:2a:bf:
dc:bc:a8:35:cb:bb:09:0e:f1:f0:d9:9e:08:69:bf:e9:e5:67:
64:c4:23:0e:6c:05:77:29:b0:10:de:0e:c5:f9:cc:e4:c9:1c:
28:26:21:8e:a8:08:1a:bb:96:91:51:ec:16:72:5a:f2:a8:d9:
5e:77:95:bc:aa:22:7a:9b:94:43:20:c4:27:61:9c:aa:f8:54:
d9:82:98:d7
-----BEGIN CERTIFICATE-----
MIICRDCCAS6gAwIBAgIEVWK+oDALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXVi
aWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAw
WhgPMjA1MDA5MDQwMDAwMDBaMCoxKDAmBgNVBAMMH1l1YmljbyBVMkYgRUUgU2Vy
aWFsIDE0MzI1MzQ2ODgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARLMx93PYFE
uZlcvkWFUX4XWDqkdiNpXL6FrEgsgBnyyblGeuBFsOZvExsuoyQ8kf2mAuMY8/xd
jSp6uucr0UMJozswOTAiBgkrBgEEAYLECgIEFTEuMy42LjEuNC4xLjQxNDgyLjEu
NTATBgsrBgEEAYLlHAIBAQQEAwIFIDALBgkqhkiG9w0BAQsDggEBAKwW2bNutrOp
t211lLNPWfT3PtvJ/espNetrRRyr9B0l0+cWFNdHJgTKcqV44yPtt2AEaF8F59G5
vgXbbpRA+sXPyTKmyvroUpl3LtsCeCAgPNQUHT7rb2os6Z45V4AyY6urjW7EgKff
CErSy6e31td8lMPrwLFm+WBXyvX+OmMeompDN2Kjb77PTPRFCWJf1a8QSap8i8do
mmZZ6a9d6PDXLCiCUXTFDgarf2oHkIN7bbMqv9y8qDXLuwkO8fDZnghpv+nlZ2TE
Iw5sBXcpsBDeDsX5zOTJHCgmIY6oCBq7lpFR7BZyWvKo2V53lbyqInqblEMgxCdh
nKr4VNmCmNc=
-----END CERTIFICATE-----
Again, I am running the latest version of Chrome version 51.0.2704.106 m (64-bit).
Duke

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 621
Joined: Fri Nov 13, 2015 4:11 pm

Re: Yubico Yubikey 4 (U2F) compatibility issue w 5.12 [SOLV

Post by Syrinx » Mon Jul 04, 2016 1:02 pm

Hi! I'm not familiar with the Yubico Yubikey but you could try using the resource manager in sandboxie and then start chrome and look for any entries that might be related under \Device\Hid (with your key attached and attempting to use it though I don't know if it will even show up) and see if they have an X or empty area to the left of them. Even if they don't have an X, you may need to create a rule to allow that related entry through to work with your device if it's not currently functioning properly inside SBIE. After creating a OpenPipePath rule [in the GUI this is under Resource Access > File Access > Full Access] for it and closing out chrome, try it again and it should then be open and have an O. If that still doesn't work or nothing shows up related to the key maybe you could share the resource manager output or a procmon log so we can see if anything else catches my eye.
http://goo.gl/p8qFCf
https://www.youtube.com/watch?v=vIxWgVOCexU

Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Yubico Yubikey 4 (U2F) compatibility issue w 5.12 [SOLV

Post by Guest10 » Mon Jul 04, 2016 2:20 pm

Can't login w/Firefox or Cyberfox, unsandboxed or sandboxed.
Ubikey NEO not opening a tab in my browser, for authentication.

Others report that the LastPass login server has been down.
Reports of problems from Chrome and Firefox users.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests