Yubico Forum https://forum.yubico.com/ |
|
YubiKey 4 and yubico-piv-tool https://forum.yubico.com/viewtopic.php?f=35&t=2386 |
Page 1 of 1 |
Author: | rgurley [ Thu Aug 04, 2016 4:41 pm ] |
Post subject: | YubiKey 4 and yubico-piv-tool |
I have three questions related to setting up a YubiKey 4 with the yubico-piv-tool. 1) I tried to use ECCP384 on my 9a slot, but ssh was not successful. Is it possible to configure openssh to accept ECCP384, or am I limited to RSA keys if I want to use the key for ssh authentication? 2) The PIV tool seems unable to generate 4096 bit RSA keys. Are the piv slots limited to 2048 bit keys or is this a limitation of the yubico-piv-tool? 3) In the instructions for configuring the key for Android code signing (https://developers.yubico.com/yubico-pi ... gning.html) indicate slot 9a is to be used. However, the information on certificate slots (https://developers.yubico.com/PIV/Intro ... slots.html) indicate slot 9c is for "signing files and executables." Is the slot used in the Android instructions incorrect? |
Author: | ChrisHalos [ Fri Aug 05, 2016 12:40 am ] |
Post subject: | Re: YubiKey 4 and yubico-piv-tool |
(1) OpenSSH 5.7 and should be able to accept ECC P-384 keys (2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096). (3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html) |
Author: | rgurley [ Mon Aug 08, 2016 4:20 am ] |
Post subject: | Re: YubiKey 4 and yubico-piv-tool |
1) Okay, I tried again. I should clarify, the part where I fail is trying to extract the key for ssh once importing the certificate ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e -v debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0 debug1: label <PIV_II (PIV Card Holder pin)> manufacturerID <piv_II> model <PKCS#15 emulate> serial <my serial number?> flags 0x40d C_GetAttributeValue failed: 18 debug1: X509_get_pubkey failed or no rsa no keys Looking at the man pages I see -D pkcs11 Download the RSA public keys provided by the PKCS#11 shared library pkcs11. When used in combination with -s, this option indicates that a CA key resides in a PKCS#11 token (see the CERTIFICATES section for details). Based on that it seems ssh-keygen assumes RSA here. I'm going to dig around a bit more looking for a way to get eccp384 to work, but if that fails, I'll just use the rsa2048. 2) Okay, that makes sense. 3) Thanks, I look forward to clarification. |
Author: | mouse008 [ Sun Aug 21, 2016 4:47 am ] |
Post subject: | Re: YubiKey 4 and yubico-piv-tool |
ChrisHalos wrote: (2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096). Could you clarify - what's the largest RSA key that YubiKey 4 can support now? And that PIV Manager supports too? ChrisHalos wrote: (3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html) Chris, the URL you referred to provides incomplete information. First, you need to add not only CHUID, but also CCC, which can be done with Code: yubico-piv-tool -a set-chuid -a set-ccc Second, standard OpenSC tokend is not likely to work properly - you need an OpenSC fork https://github.com/mouse07410/OpenSC.tokend.git |
Author: | ChrisHalos [ Mon Aug 22, 2016 4:57 pm ] |
Post subject: | Re: YubiKey 4 and yubico-piv-tool |
Max RSA on PIV is still currently 2048 (covered in NIST Special Publication 800-53, believe the newest public version is revision 4). You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps. |
Author: | mouse008 [ Mon Aug 29, 2016 2:43 am ] |
Post subject: | Re: YubiKey 4 and yubico-piv-tool |
ChrisHalos wrote: Max RSA on PIV is still currently 2048 (covered in NIST Special Publication 800-53, believe the newest public version is revision 4). Even on YubiKey 4? It won't take/generate 3072-bit RSA keys? That's a pity. It's NIST SP 800-73, and yes - the latest revision is 4 (as I understand, YubiKey implements Rev 3). ChrisHalos wrote: You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps. Thank you. But it's not "most likely" (verified by extensive testing against OpenSC.tokend, Thursby PKard, and Centrify Express), and it's not "in OSX" (as Windows-8 did not like this token at all until CCC was set up). Maybe you can squeak by on Linux with "bare" OpenSC, I haven't tried that. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |