1
0
mirror of https://github.com/Yubico/yubikey-val.git synced 2024-12-01 15:24:16 +01:00
yubikey-val/doc/Server_Replication_Protocol.adoc
2014-10-29 15:25:37 +01:00

71 lines
2.6 KiB
Plaintext

== Server Replication Protocol
This document describes the server to server protocol. Its purpose is
to synchronize the last used session and use counter between multiple
validation servers.
Multiple validations servers are connected together so that each
validation server can talk to any of the other validation server using
the Server Replication Protocol. The validation servers are
authenticated by the use of certificates.
val A <-> val B <-> val C <-> val A
See the ValidationProtocolV20 for definition of the client to server
protocol. The protocol described here is the server to server
protocol. See ValidationServerAlgorithm for a description of the
implementation algorithm that uses this protocol.
=== Sync request specification
A sync request is issued with a HTTP get call, like this:
https://apiX.yubico.com/wsapi/sync?otp=xyz&modified=1264430686&nonce=foobar&yk_identity=foo&yk_counter=42&yk_use=17&yk_high=10&yk_low=5
The following parameters are used
[options="header"]
|=============================
| parameter |type |values
| otp | string | one-time password (for logging purposes)
| modified | integer | unix timestamp of when OTP was received
| nonce | string | nonce from client request
| yk_identity | modhex | YubiKey OTP identity in question
| yk_counter | integer | last seen session counter by sender
| yk_use | integer | last seen session use by sender
| yk_high | integer | OTP internal high time value
| yk_low | integer | OTP internal low time value
|==============================
Input values for yk_counter, yk_use, yk_high and yk_low are always
positive except for -1 which indicates that the requesting server did
not have any earlier information about the !YubiKey.
An example response is
modified=1264430686
nonce=aspodkaaspdokas
yk_identity=cccccccccccf
yk_counter=api2 session counter
yk_use=api2 session use counter
yk_high=value
yk_low=value
The values returned are:
[options="header"]
|====================
| parameter |type |values
| modified | integer | timestamp of when last OTP was received
| nonce | string | nonce from client for last OTP
| yk_identity | modhex | YubiKey OTP identity in question
| yk_counter | integer | last seen session counter
| yk_use | integer | last seen session use
| yk_high | integer | last seen high time value
| yk_low | integer | last seen low time value
|========================
Output values for modified, yk_counter, yk_use, yk_high and yk_low are
always positive except for -1 which indicates that the server did not
have any earlier information about the YubiKey. In this case, nonce
is a newly allocated random nonce.