Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:35 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Feb 28, 2017 6:10 pm 
Offline

Joined: Tue Feb 28, 2017 4:17 pm
Posts: 5
I have been happily testing a Neo and everything is going well but I just wanted to make sure I understand the nature of CCID and PIV since I do not have any past experience with these technologies.

My understanding is that CCID is a protocol to serve PIV over USB, rather than the usual RFID connection (not sure what that protocol is). In this case, CCID would only ever really need enabled or disabled on the Neo, no other configuration should be necessary. PIV, on the other hand, uses asynchronous cryptography and can be configured by utilities like Gpg4win's Kleopatra. Once keys are loaded onto the Neo, the Neo will use the appropriate keys for the appropriate tasks, like signing software, signing emails, encrypting files, and unlocking a P.C. operating system. I understand that there are predefined key designators, which are presumably used to match the appropriate key for any given task. This justifies the limited key slot capabilities of most smartcards, since there would be human interface to select a key for use if there are multiple keys of the same key type.

All of this makes sense to me, although I have not actually set it up yet, but I have also read that YubiKey's CCID functionality is somehow independent of the PIV functionality, which I do not understand. Is this true? If so, could someone explain the relationship to me? If it's not true, I hope this information will be useful to other users in the future.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 01, 2017 2:52 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
They are not separate. CCID = all of the smart card functionality of the YubiKey NEO or YubiKey 4:
*PIV (the PIV applet is not open-source, so there is no page for the applet... https://developers.yubico.com/PIV/Intro ... d_PIV.html)
*Yubico Authenticator (https://developers.yubico.com/ykneo-oath/)
*OpenPGP (https://developers.yubico.com/ykneo-openpgp/)

Disabling CCID mode just stops it from showing up over USB (still functions over NFC, YubiKey NEO only, this cannot be turned off). People choose to disable CCID typically if they aren't using any of these functions - less drivers to load, less possibility of compatibility issues (especially in Linux), and the LED behavior is different. You also don't have to deal with the device disconnect/connect sounds when sending an OTP (if CCID is disabled... doesn't apply to YubiKey 4).


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 02, 2017 6:47 pm 
Offline

Joined: Tue Feb 28, 2017 4:17 pm
Posts: 5
Ok, great. Thanks for clearing that up!

A couple follow-up questions, if you have the time:

  1. How many and what types of PIV slots are available? This may become apparent during configuration but I have found some conflicting information from third-party sources, perhaps a result of their configuration models. I assume the same keys would be used over the radio interface.

  2. Which, if any, of these keys are used when authenticating to the authenticator applications (e.g. Windows, Linux, Android)?


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 03, 2017 12:22 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Answers to both are linked above and available on our developers website.

1) All information about our implementation of PIV can be found here - https://developers.yubico.com/PIV/

Information about certificate slots is here - https://developers.yubico.com/PIV/Intro ... slots.html

2) PIV / OpenPGP / Yubico Authenticator (YubiOATH applet, if you want to be specific) / U2F / OTP - these are all autonomous

ykneo-oath is the OATH applet on the NEO where the "authenticator app" credentials get stored when using Yubico Authenticator. It is not related to PIV or OpenPGP keys/certificates.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group