YubiKey NEO and OpenPGP key generation and loading on Windows

This is an attempt to do a “quick start” guide for properly generating OpenPGP keys and loading them into your YubiKey NEO on Windows. This isn’t an all-exhaustive guide, and you more advanced users may choose to do things differently than I have demonstrated here. This is my way, and I know it works.

If you’re going to do anything with the OpenPGP functionality of the YubiKey NEO, you need the latest stable of Gpg4win, available here. You also need your NEO in CCID mode. See previous posts on this subject. Also note that the YubiKey NEO only supports 2048-bit keys. Larger keys will not work. Smaller keys may or may not work.

After following this guide, you will have an OpenPGP 2048-bit key pair with sub-keys for encryption and authentication, a revocation certificate, a backup of your keys, and the secret keys loaded on to the appropriate slots on the YubiKey NEO.

YubiCo’s guide to this process is posted here. When I walked through their guide I noticed it was missing some steps. So I wrote this guide to fill in the blanks and be more descriptive.

Generating your initial key pair

Open a command prompt and run:

gpg --expert --gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8

For ‘kind of key’, select 8 (RSA: Set your own capabilities)

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection?

Now you want to select ‘e’, so that you toggle off the encryption ability off, so that ‘Current allowed’ shows only Sign and Certify. Then select ‘q’ to move on.

Make sure you select a 2048 bit key, and then continue through the wizard to complete your key pair generation.

Take note of your 8-character key ID. You will need it for future steps.

Adding the sub-keys

You need to add two sub-keys; one for encryption, and one for authentication.

From the command line, run (where keyID is your 8-character key ID) :

gpg --expert --edit-key keyID

Now, type:

addkey

Select 8 again, just like above, and then toggle abilities so you have an encryption-only key. Make sure you generate a 2048-bit key.

Repeat addkey one last time, and toggle abilities so you have an authentication-only key.

Then q to quit, and y to save changes.

Backing up the keys

Run each of the following commands to backup your public key, secret key, and to create a revocation certificate, where keyID is your 8-character key ID:

gpg --output public.asc -a --export keyID
gpg --output secret.asc -a --export-secret-key keyID
gpg --output revoke.asc -a --gen-revoke keyID

Moving the keys to the YubiKey

Run the following command:

gpg –expert –edit-key keyID

Then type toggle. You have sub-keys 1,and 2, and 0 represents the main key. For each of these sub-keys (1 and 2), type key subkey-number (such as key 1) to toggle handling that key, and then use keytocard to move it to your YubiKey. (after handling key 1, you have to type key 1 again to unselect it before selecting key 2). Keys 1 and 2 will only have one choice where to put them. Afterwards, type key 0 and keytocard it to the signature slot.

card errors: If you get a card error, IO error, or anything like that, quit gpg, saving any changes, quit Kleopatra, quit YubiCo Authenticator (if you’re running it), and then open Task Manager and kill any gpg-agent or gpg-* processes. Run this:

gpg –card-status

If this comes back with data (and not an error), then run this again and continue:

gpg –expert –edit-key key-ID

Integration with Putty / Pagent: This is something I haven’t explored yet, but this walk-through seems to deal with the topic quite well.

Leave a comment

YubiKey NEO Quick-Start on Windows

This is a continuation of my previous post on YubiKey.

In order for the most painless “Quick Start” of YubiKey on Windows, you will need a few tools:

First, the YubiKey NEO Manager, available here, will enable you to toggle the various modes (OTP, CCID, U2F) of your YubiKey on and off. Since the YubiKey ships with only OTP mode enabled, you will need this to turn on CCID (SmartCard) and U2F (Fido) mode. This will also let you check and verify the installed apps on your NEO, once you’ve enabled CCID mode. (Important: Check the version of your OpenPGP app. If it is 1.0.9 or lower, read this security advisory and take appropriate action).

Second, the YubiKey Personalization Tool, available here, will enable you to personalize the various configuration slots of your YubiKey. There are two slots available, and slot 1 is programmed with the YubiCo OTP (or RSA key, depending). It is strongly advised not to overwrite slot 1 unless you really know what you are doing. You can program slot 2 for whatever other implementation you would like. Please note that these two slots are independent of the applets that run on the CCID side of the card. Although that may be slightly confusing, it will be clear as you use your key.

Third, the YubiKey NEO contains the YubiOATH applet for generating those familiar 6-digit OTP codes that various websites use as two-factor authentication. Your YubiKey NEO can store many of those 6 digit codes and secrets in the key itself, but it requires the YubiOATH-desktop helper app, available here. This helper app is required because OATH codes are time-based, and the YubiKey has no internal clock. Also, this requires that CCID mode is enabled.

If you have anything to contribute, please do so in the comments below, or contact me using the form. 

Leave a comment

Hello, YubiKey NEO

I have one of the 2nd generation YubiKeys, and I really liked it, but the new YubiKey NEOs have many new features, including PGP, OTP codes, U2F, NFC, etc. I liked the original YubiKey (although there aren’t too many places where you can use it), but the new YubiKey really interested me. So I got myself one.

One of the problems that I ran into was a lack of “Quick start” documentation for the various features of the YubiKey, such as OTP, PGP, etc. The documentation is either too vague, or too complicated.

I’m going to attempt to give some blog posts to help users get start with their YubiKeys in the same manner that I got started with mine, including the various features and such, to help you get up and running as quickly as possible, and with as few headaches as possible.

So, if you’re interested, subscribe and watch for new posts.

Leave a comment

MMS settings for Windows Phone (and others) on Cricket Wireless

If you have an unlocked Windows Phone operating on Cricket Mobile, and are having issues sending or receiving MMS messages, change the settings of your phone to the below.

All Settings > cellular+SIM > View internet APN. Verify the following (ignore unlisted fields):

  • APN: ndo
  • Auth type: PAP
  • IP type: IPv4

If settings differ from the above, go to SIM Settings > Manual Internet APN > edit internet APN, and enter as above. Leave any unlisted fields blank.

Next, tap edit MMS APN, and set as below:

  • APN: ndo
  • Auth type: PAP
  • WAP gateway: proxy.aiowireless.net
  • WAP gateway port: 80
  • MMSC (URL): http://mmsc.aiowireless.net/
  • MMSC port: 80
  • Max MMS size: 10240
  • IP type: IPv4 < (This setting wasn’t provided by Cricket, but the default of IPv4v6 will not work. It must be IPv4)

These settings were confirmed with Cricket prior to publishing. If you would rather contact Cricket to get the settings directly from them, you may do so.

Windows Phone visual voicemail is currently not supported on Cricket at this time. I recommend YouMail with the ISeeVM app as an alternative.

Leave a comment

Taking my business away from Amazon.com

I’m sorry. Sort of. It’s not me, it’s you.

Amazon.com has been a longstanding favorite online shopping site of mine for quite a while. I have a number of other category-specific sites that I use (NewEgg, etc) for specific merchandise, but Amazon has been my general go-to for quite a while. Unfortunately, the last order I placed never made it to my door, and a little research has shown that not only is this a fairly common issue, but for me, it’s going to cause a huge issue with future orders. More than I’m comfortable with.

So my last order never made it to my door. When Amazon provide the tracking number, they provided a tracking number starting with TBA and a carrier of AMZN_US. There’s absolutely nowhere to track this package. And what’s laughable is they state AMZN_US as the carrier for Amazon Fresh.

After one “delayed” update, I wrote Amazon asking for tracking information one more time and instead of giving me any information, they gave me a partial refund. I wrote them again after it was updated to “delivered,” and they gave me a refund. No more questions asked.

After doing a bit of web-searching, it turns out that to save shipping costs, Amazon bulk ships to local warehouses and has couriers run the deliveries. That’s a bit of an issue, as my address doesn’t show correctly on any map. Apple maps, Google maps, Garmin GPS, nowhere. Anywhere you look will give you the wrong location. USPS, FedEx, UPS all get boxes to my door just fine. They know where the place is, but if you go by GPS you’ll never find it. I figured the courier would have called me, but no.

Amazon offered to replace the order via 2-day delivery, but Amazon Prime members have the same complaint — that packages aren’t making it to their doors. So that’s unreliable for me as well.

If Amazon would simply ship via a common carrier, each and every time, it would get delivered no problem. Or if they gave me a choice as to which carrier I wanted to use. No choice on carrier, just on delivery time. And since 2-day shipping is still sometimes run by courier, the “choice” is irrelevant.

I found out later that if you give a PO Box address, Amazon will ship via USPS. Great! Wonderful! I go out and get a PO Box, and put together another order for something I need for work, plus a few small other things to meet the add-on item requirement, and then I see this message as I’m going through checkout:

Click for larger image.

Click for larger image.

“Sorry, this item can’t be shipped to your selected address.”

That’s for two of the four items on my order. Not all the add-on items, only some of them. The two physically smallest things on my order can’t be shipped to a PO Box. They’re all shipped by Amazon.

So, Amazon, you can’t deliver a consistent shopping experience for me. Time to shop elsewhere.

Leave a comment

Skype randomly zooming during video calls

First, a little background. I was on a Skype call a short time ago and noticed that Skype would randomly zoom in and zoom out during the call. It seemed to happen at random, and I couldn’t figure out why, nor could I find any way of controlling it.

My Asus T100’s camera does have a user-controllable zoom, but it is zoomed all the way out when this is happening. It does not have face-following, a feature commonly blamed for this issue in Skype.

Here’s a shot of the Video Settings dialog in Skype, for anyone interested.

Skype_Video_Settings

After some digging around the web, I’ve found a logical chain of forum posts that seem to indicate what the issue is, and point to a potential fix.

First, this blog post from another user who had the same issue, and he worked around it by installing and using ManyCam. This did work to resolve the issue, but requires ManyCam be running and adds the extra resources that it requires. If you decide to go this route, I strongly recommend areful reading during the ManyCam installer. It’s full of add-ons.

Second, this thread on yCombinator suggests a few things: 1) That lack of bandwidth is causing Skype to switch the camera to a lower resolution, resulting in the zoom; and that 2) lack of movement in portions of the cameras image is causing it to zoom. Theory 1 seems more plausible.

Third, this post on the Skype forums suggests that Skype’s video resolution can be forced by editing an xml file. Quoted with edits:

It’s impossible to change either the capture or stream video resolution in the Skype GUI. But the capture resolution can be changed by adding for example this:

<Video>
<CaptureWidth>1280</CaptureWidth>
<CaptureHeight>960</CaptureHeight>
</Video>

directly under the <Lib> tag in %AppData%\Skype\shared.xml. The other supported resolutions also work. Check that it works from Call -> Call Technical Info.

Of course, make sure that you are forcing a resolution that your camera supports, that your PC has enough processing power to support, and that you have sufficient bandwidth for. Otherwise, you will experience undesirable effects. 640×480 is a good choice for many. 1280×720 would require a webcam capable of 720p HD capture. A 1.2 MP camera could give a resolution of 1280×960.

I used 1280×960 above as my camera is 1.2 megapixel. However, in my Call Technical Info, my camera is capturing at 1280×720, and zoom is correct. In one instance the camera zoomed in, and the Call Technical Info showed that it was capturing at 240×360. The zoom is definitely connected to the capture resolution, but changing the xml settings does not guarantee that Skype will force the resolution under all (or any) circumstances.

I’m also going to add that this is directly targeted at Skype for Desktop, not the Windows 8 app. If you are able to try this, please let me know your results. 

Leave a comment

How to save browser link URLs to disk

(I realize this is far from being a new thing, but I also know that some people don’t know how to do this, so I’m going to explain this for today’s lucky 10,000.)

I have a lot of very useful bookmarks, as I’m sure many of you readers do as well. I also tend to use more than one web browser. It’s a huge pain to constantly export/import bookmarks across browsers, back up favorites before re-installing an OS, etc. What if you could just have your favorites saved to disk, and use them however and whenever you wanted? That would be great.

Firefox and Chrome both have features where you can sync your bookmarks to their cloud services, but that only works with that one browser.

So, actually, you can save them to disk. And I’m not talking about saving the page to disk (via file > save). No. Not that. That saves the whole page and all of the content to your disk. No. I’m talking about saving just the link. Not in a text file, but in a simple file you can double-click to open in your web browser.

Sounds awesome, right? It is.

So here’s how you do it. In your favorite web browser, just locate the page favicon (that’s what that little icon next to the web address is called. It’s a favicon.) and drag it to your desktop, or other such folder. Screenshots below for Internet Explorer and Chrome:

Now you can save those files anywhere you want, even such places such as Dropbox, OneCloud, etc. Even a USB stick.

OneDrive users: If your link does something unexpected when you double-click on it (like trying to print), make sure it’s an Offline file. Right-click your link and select Make available offline. You can select multiple files and do this to many at once, or even an entire folder.

Leave a comment

XBox 360 popping crackling sounds over HDMI solved

If you have an XBox 360 hooked up to your TV over HDMI, you very well may experience popping, crackling, or static sounds while playing games.

It took me a bit of Googling to find the solution to this problem. Most people think it’s bad HDMI ports, cables, interference, or other. When in fact, I found the simplest solution (and the correct one) was to go into the console settings, under sound, and notice that the XBox by default is configured for Dolby 5.1 surround sound. On a 2-speaker system, this is not correct and will result in distorted sound. Change this setting to digital stereo and that will solve the issue.

Leave a comment

How to do a full system bare-metal backup in Windows 8

The Windows “Backup and Restore” utility that was present in the control panel in Windows 7 could easily do full-system bare-metal backup and restore. Unfortunately, this tool was removed from the control panel in Windows 8.

However, it looks like that tool is still present on the hard drive and can be used. Here’s how to find it.

Click Start, and in the search box, type SDCLT.EXE . Right-click the and click Run As Administrator.

As always, a test restore is good practice.

Comments are welcomed below!

Leave a comment

Manually uninstalling Echolink from Windows 8

If you are running Windows 8, and installed the Echolink software using it’s incompatible installer, and then subsequently uninstall it, you will break your start screen (as shown here). You will then have to do a System Restore to get your start screen restored, but that will re-install the software.

If you manually uninstall Echolink using the method below, you can then extract and run Echolink using the method described in this post.

Here’s the steps to remove all traces of the Echolink software from your PC:

  1. You might want to create a system restore point from Control Panel > System > System Protection > Create... before proceeding, just in case.
  2. Delete the desktop icon.
  3. Done! (Just kidding)
  4. Right-click on the Start screen icon and select “Unpin from Start” (NOT uninstall. Seriously.)
  5. Run regedit.exe (Caution: Editing the registry is risky. Pay close attention and make a backup before making any changes if you aren’t confident in your changes.)
  6. (Optional) Delete the registry branch at [HKEY_CURRENT_USER\Software\K1RFD]. — It looks like Echolink stores some settings here and it is safe to leave this key in place if you plan to run it standalone.
  7. For a 32-bit system, I found the uninstall keys in the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DC33421C-0E1C-470A-BE37-7B7C82677812}]. Delete that branch of keys. Verify Echolink is no longer listed in Control Panel > Programs and Features for uninstallation.
  8. For a 32-bit system, delete the C:\Program Files\K1RFD directory.
  9. For a 64-bit system, look under
    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\]. Find the branch of keys under there that refers to Echolink and delete it. DON’T delete the entire Uninstall branch. (I didn’t run this on a 64-bit system, so I can’t give you the exact registry branch.) Verify Echolink is no longer listed in Control Panel > Programs and Features for uninstallation.
  10. For a 64-bit system, delete the C:\Program Files (x86)\K1RFD directory.
  11. (Optional) If you wish to delete your favorites, recorded QSOs, etc., delete C:\Users\<username>\Documents\Echolink. This directory is hard-coded into Echolink, so even if you run it standalone, it will still store data in this folder.

Please feel free to share your comments below. Thanks!

,

Leave a comment

Follow

Get every new post delivered to your Inbox.

Join 51 other followers

%d bloggers like this: