Yubico Forum

Re: [Question] Upon too many PIV/Key management failures. Er

2017-10-09T19:26:56+01:00

Very nice. Thanks for letting me know.

Statistics: Posted by Morthawt — Mon Oct 09, 2017 7:26 pm

Re: [Question] Upon too many PIV/Key management failures. Er

2017-10-09T19:25:26+01:00

Three attempts to verify the PIN and the PIN is blocked. Three attempts to verify the PUK and the PUK is blocked. At this point the only option is to reset the PIV applet. Management Key is the only thing that can hypothetically be brute-forced, but the person with the management key can't use the certificate that's stored on the YubiKey. They would have to generate a new one to use the key. All scenarios are basically covered on our developer website. Recommend you start with https://developers.yubico.com/PIV/Intro ... ccess.html

There is no way to render the PIV applet completely useless (otherwise lots of customers will experiment, lock the PIV applet permanently, and demand a replacement). This isn't like a basic smart card where you lock it and you have to throw it away and buy another one. There are several other manufacturers that offer those.

Statistics: Posted by ChrisHalos — Mon Oct 09, 2017 7:25 pm

[Question] Upon too many PIV/Key management failures. Erase?

2017-10-04T18:38:30+01:00

If someone tries to use certs I have in my PIV, for, code signing say. They try and try and try, I assume it gets locked right? Are there any conditions where the Yubikey will "maliciously" (desired) destroy the key upon too many failures or anything? Or does it just "choose" to deny the usage of the contained keys and rely on the protection of the secure element to hopefully prevent forced physical access to the key information?

Clarification would be very helpful to know what is what.

Thanks.

Statistics: Posted by Morthawt — Wed Oct 04, 2017 6:38 pm