Yubico Forum ...visit our web-store at 2015-12-02T23:20:16+01:00 https://forum.yubico.com/feed.php?f=4&t=2094 2015-12-02T23:20:16+01:00 2015-12-02T23:20:16+01:00 https://forum.yubico.com/viewtopic.php?t=2094&p=8044#p8044 <![CDATA[Re: [Not Resolved] Yubikey 4 - hardware changes?]]>
Quote:

→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -T
Available slots:
Slot 0 (0x1): Yubico Yubikey 4 OTP+U2F+CCID
token label : PIV_II (PIV Card Holder pin)
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token initialized
hardware version : 0.0
firmware version : 0.0
serial num : 00000000000000


Quote:

→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -M
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify


Quote:

→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -t -l -p MY_PIN
Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (PIV AUTH key)
RSA-X-509: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5)
Unwrap: not implemented
Decryption (RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
1 errors

Statistics: Posted by Jasper — Wed Dec 02, 2015 11:20 pm

]]> 2015-12-02T21:33:14+01:00 2015-12-02T21:33:14+01:00 https://forum.yubico.com/viewtopic.php?t=2094&p=8043#p8043 <![CDATA[Re: Yubikey 4 - hardware changes?]]>
Regarding the PKCS#11: PKCS#11 is only the C interface, there is no "internal PKCS#11" signature generation. Maybe you mean the PIV applet that is compatible with PKCS#11.

Here is some info from pkcs11-tool from OpenSC using the latest Yubikey Neo (with initialized PIV applet), I'd guess it will be similar in Yubikey 4 just with the RSA-4096. Strangely it claims RSA-3072 support, but there's apparently bug in the PIV applet I guess.

Someone may try this with Yubikey 4 and post comparison (I unfortunately ordered second Neo just few days before Yubikey 4 was announced).

With latest Yubikey Neo you'll get:

Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -T

Available slots:
Slot 0 (0x1): Yubikey Neo+U2F 00 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00000000

$  pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -M

Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
  MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify

$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -t -l -p MYPIN

Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (PIV AUTH key)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors


Note that if you try to use functionality like sign/decrypt directly from pkcs11-tool, you'll need to specify exact mechanism (cipher), for some reason ECDSA signing breaks, but RSA works:

Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -m RSA-X-509 -s -l -p MYPIN <<< "Stuff to sign"

Using slot 1 with a present token (0x1)
Using signature algorithm RSA-X-509
....binary stuff...

Statistics: Posted by hiviah — Wed Dec 02, 2015 9:33 pm

]]> 2015-11-18T01:44:21+01:00 2015-11-18T01:44:21+01:00 https://forum.yubico.com/viewtopic.php?t=2094&p=7987#p7987 <![CDATA[Re: Yubikey 4 - hardware changes?]]> NEO is based the NXP A700x chip, which according to the specifications only support RSA keys up to 2048 bits.

I am sure NFC will return once NXP upgrades their chips to allow for larger RSA keys.

Note: I am not Yubico representative, so I could very well be wrong.

Statistics: Posted by crawler — Wed Nov 18, 2015 1:44 am

]]> 2015-12-02T22:10:05+01:00 2015-11-17T03:12:49+01:00 https://forum.yubico.com/viewtopic.php?t=2094&p=7982#p7982 <![CDATA[[Not Resolved] Yubikey 4 - hardware changes?]]> https://www.yubico.com/2015/11/4th-gen-yubikey-4/
https://www.yubico.com/2015/11/yubico-docker-codesign/
https://www.yubico.com/products/yubikey ... /yubikey4/

1. Out of curiosity, what were the hardware changes made between the NEO/NEO-n and the 4/4-n that allowed for RSA 4096-bit keys and internal PKCS#11 signatures? And clarification: is the PKCS#11 support for docker only available in the 4/4-n models?

2. Also, is the lack of NFC capability on the Yubikey 4 due to having to source hardware from sources other than NXP? If not, what is the reason?

Thanks.

Statistics: Posted by brendanhoar — Tue Nov 17, 2015 3:12 am

]]>