Clarification request regarding the support of Yubikey Neo / 4

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Clarification request regarding the support of Yubikey Neo / 4

Jean-Pierre Münch

Hello everyone,

I've searched the internet for quite some time now and couldn't find a satisfying / understandable answer, so I figured I could ask here.

I've read that the Yubikey 4 and the Yubikey Neo have a "PIV" application which is supported via OpenSC, so I really would like to have answers to the following (simple) questions:

  • What is the authoritative document / website that documents the procedure that enables the PIV application on the Yubikeys?
  • Once the PIV application is enabled, is it possible to use the Yubikey as a normal PKCS#11 smart card, if not what operations (if any) are exposed via PKCS#11? (e.g. use the PKCS#11 library for signing and decrypting stuff on-card with RSA / ECDH / ECDSA)
  • Assuming you can use the Yubikey as an ordinary PKCS#11 smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool) / custom tool based key-import?

I really hope you can help me with these three questions.

Best Regards

JPM


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Clarification request regarding the support of Yubikey Neo / 4

Vincent Le Toux
Hi,

You have to enable the CCID feature of the yubikey then enable the PIV applet (not the default).
Last time I did it, it took me some times to find the right program.
Maybe this is this one:
https://www.yubico.com/products/services-software/personalization-tools/use/

regards,
Vincent

2016-05-28 22:16 GMT+02:00 Jean-Pierre Münch <[hidden email]>:

Hello everyone,

I've searched the internet for quite some time now and couldn't find a satisfying / understandable answer, so I figured I could ask here.

I've read that the Yubikey 4 and the Yubikey Neo have a "PIV" application which is supported via OpenSC, so I really would like to have answers to the following (simple) questions:

  • What is the authoritative document / website that documents the procedure that enables the PIV application on the Yubikeys?
  • Once the PIV application is enabled, is it possible to use the Yubikey as a normal PKCS#11 smart card, if not what operations (if any) are exposed via PKCS#11? (e.g. use the PKCS#11 library for signing and decrypting stuff on-card with RSA / ECDH / ECDSA)
  • Assuming you can use the Yubikey as an ordinary PKCS#11 smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool) / custom tool based key-import?

I really hope you can help me with these three questions.

Best Regards

JPM


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel




--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Clarification request regarding the support of Yubikey Neo / 4

Douglas E Engert
In reply to this post by Jean-Pierre Münch


On 5/28/2016 3:16 PM, Jean-Pierre Münch wrote:

Hello everyone,

I've searched the internet for quite some time now and couldn't find a satisfying / understandable answer, so I figured I could ask here.

I've read that the Yubikey 4 and the Yubikey Neo have a "PIV" application which is supported via OpenSC, so I really would like to have answers to the following (simple) questions:

  • What is the authoritative document / website that documents the procedure that enables the PIV application on the Yubikeys?

Getting the NEO to use the PIV application would be listed on the yubico.com web site.
Note that the Yubikey was designed to do many different applications. Accessed by USB or NFC.

https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
https://developers.yubico.com/PIV/Tools/YubiKey_PIV_Manager.html
https://www.yubico.com/why-yubico/for-individuals/computer-login/yubikey-neo-and-piv/


The PIV application on the NEO is designed to implement the NIST 800-73 standards
Google for NIST 800-73.
For PKCS#11 access  really the 800-73-3 part1 and part2.

The Yubikey PIV Manager or yubico-piv-tool can then be used to generate keys on the NEO, and create certificate request and to load certificates. You need to supply the CA.

https://github.com/OpenSC/OpenSC/wiki/US-PIV
https://github.com/OpenSC/OpenSC/wiki/PivTool

The OpenSC piv-tool is a more basic tool that can do most of the above once you know the 3DES or AES key for the card. NIST did not standardize the functions needed by a Card Management system, so every  vendor's card is different. The User interface for using a card with certs and keys  already installed is standardized.

  • Once the PIV application is enabled, is it possible to use the Yubikey as a normal PKCS#11 smart card, if not what operations (if any) are exposed via PKCS#11? (e.g. use the PKCS#11 library for signing and decrypting stuff on-card with RSA / ECDH / ECDSA)

Yes, you can do all of these NIST defines 4  certs/keys for the card. One for authentication, one for digital signature, RSA or ECDH, one for decryption/encryption (if EC can do key derivation ECDH) and a 4th cert/key that does not require a PIN, for the card to authenticate itself. Usable for door locks for example, and can be used over NFC.

  • Assuming you can use the Yubikey as an ordinary PKCS#11 smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool) / custom tool based key-import?

As I said, the NIST standards left card management up to the vendors. So generating keys, writing certificates and other objects are not supported by the OpenSC pkcs11-tool or pkcs15-tool. You need to use piv-tool or yubico-piv-tool. You also need to know the 3DES or AES key of the card to do any of the card management functions. The yubico-piv-tool can reset a NEO and load a new 3DES or AES key.
i.e. Yubikey was designed for an end user to initialize a card with their own keys and certs.

P.S.
Once you get at least the authentication cert/key and a CHUID, on the card you can use the card with windows without any otrher software. Windows comes with a PIV driver. The yubico-piv-tool can create a CHUID (which has a GUID.)

I really hope you can help me with these three questions.

Best Regards

JPM



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Clarification request regarding the support of Yubikey Neo / 4

Ryan Chapman
Jean-Pierre,

I'll add that if you are looking for a quick way to test, you can use the proof of concept I put together at https://github.com/ryanchapman/piv-pacs-poc
The security a full card management system provides is missing, but is good enough for quickly getting something that will work to test Windows auth, physical access control system, etc.
Card programming tested with Mac and Linux, and might also work on Windows with some effort.  Since it's off topic from opensc, please send support questions to me directly or open a GitHub issue.

Ryan

On May 28, 2016, at 8:38 PM, Douglas E Engert <[hidden email]> wrote:



On 5/28/2016 3:16 PM, Jean-Pierre Münch wrote:

Hello everyone,

I've searched the internet for quite some time now and couldn't find a satisfying / understandable answer, so I figured I could ask here.

I've read that the Yubikey 4 and the Yubikey Neo have a "PIV" application which is supported via OpenSC, so I really would like to have answers to the following (simple) questions:

  • What is the authoritative document / website that documents the procedure that enables the PIV application on the Yubikeys?

Getting the NEO to use the PIV application would be listed on the yubico.com web site.
Note that the Yubikey was designed to do many different applications. Accessed by USB or NFC.

https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html
https://developers.yubico.com/PIV/Tools/YubiKey_PIV_Manager.html
https://www.yubico.com/why-yubico/for-individuals/computer-login/yubikey-neo-and-piv/


The PIV application on the NEO is designed to implement the NIST 800-73 standards
Google for NIST 800-73.
For PKCS#11 access  really the 800-73-3 part1 and part2.

The Yubikey PIV Manager or yubico-piv-tool can then be used to generate keys on the NEO, and create certificate request and to load certificates. You need to supply the CA.

https://github.com/OpenSC/OpenSC/wiki/US-PIV
https://github.com/OpenSC/OpenSC/wiki/PivTool

The OpenSC piv-tool is a more basic tool that can do most of the above once you know the 3DES or AES key for the card. NIST did not standardize the functions needed by a Card Management system, so every  vendor's card is different. The User interface for using a card with certs and keys  already installed is standardized.

  • Once the PIV application is enabled, is it possible to use the Yubikey as a normal PKCS#11 smart card, if not what operations (if any) are exposed via PKCS#11? (e.g. use the PKCS#11 library for signing and decrypting stuff on-card with RSA / ECDH / ECDSA)

Yes, you can do all of these NIST defines 4  certs/keys for the card. One for authentication, one for digital signature, RSA or ECDH, one for decryption/encryption (if EC can do key derivation ECDH) and a 4th cert/key that does not require a PIN, for the card to authenticate itself. Usable for door locks for example, and can be used over NFC.

  • Assuming you can use the Yubikey as an ordinary PKCS#11 smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool) / custom tool based key-import?

As I said, the NIST standards left card management up to the vendors. So generating keys, writing certificates and other objects are not supported by the OpenSC pkcs11-tool or pkcs15-tool. You need to use piv-tool or yubico-piv-tool. You also need to know the 3DES or AES key of the card to do any of the card management functions. The yubico-piv-tool can reset a NEO and load a new 3DES or AES key.
i.e. Yubikey was designed for an end user to initialize a card with their own keys and certs.

P.S.
Once you get at least the authentication cert/key and a CHUID, on the card you can use the card with windows without any otrher software. Windows comes with a PIV driver. The yubico-piv-tool can create a CHUID (which has a GUID.)

I really hope you can help me with these three questions.

Best Regards

JPM



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel