Yubico Forum

Hello.

I am a new customer of Yubico, just bought Yubikey NEO and now trying to figure out how to deal with that cool stuff First of all sorry for future mistakes as english is not my native language...

Now I want to ask some questions with summary that I understood as I can't find this all in one place:

1. As I understood NEO has 2 slots for OTP+U2F and five slots for applets use with 2005 bytes max? Or this is only for PIV but for openpgp it hase 3 slots?

2. Are slots(2) for OTP/U2F and slots(5) for PIV(PGP?) separate so I can use maximum 3 functions of NEO like OTP + static + PIV? for CCID can be active only one applet from choice of PGP and PIV? As I see 5 applets and as I understood from some posts on forum 1-2-3 applets servicing two slots(in OTP/U2F mode) and 4-5(PGP+PIV) works only in CCID mode with separate store space for objects?

3. I can't understand one more thing... for offline use should I choose Challenge-Response mode with HMAC-SHA1 only? (except static pass)

4. Is there any way to use NEO for many sites like Google/Dropbox and etc(with Yubico Authentificator for Android) + PAM for OS X only from 1 slot? I got confused about operation with C-R and different targets to use with. (as second slot will be busy for static pass only..)

5. Downloaded OpenSC, yubico-piv-tool to try them with TrueCrypt(VeraCrypt) thought PKCS#11 support. I have chosen opensc pkcs11 library, clicking Manage Security Tokens, enters pin for PIV applet and see 3 objects: Cardholder Fingerprints, Printed Information, Cardholder Facial Image , but I can't imort nor export new objects(keys)! - FUNCTION NOT SUPPORTED. When trying to use one of that 3 keys - GENERAL ERROR . I thought that I need to make new manage key + generate some private key by piv tool - made that, but I don't see it... As I see on google other people is using smart cards through opensc with truecrypt , so there is no problem with truecrypt, but with support of NEO with opensc? or I need to make some type of setup or setup NEO for openpgp use ?

Thanks in advance for your answers!
To Yubico team - there is lack of materials about YubiKey for dummies...

Hi again. I want to answer by myself for some questions and some of them make more concrete.

5. I understood the problem with VeraCrypt/TrueCrypt and YubiNEO. (Maybe forum admin should stick this info for future users): We have got a chain with Yubikey in CCID mode(PIV applet or PGP) - OpenSC library in the middle - Truecrypt/Veracrypt PKCS#11. Truecrypt/Veracrypt wish to work with object storage in NEO key through PIV applet, NEO is ok with such objects as I understand, thats why I can see 3 stores called Cardholder Fingerprints, Printed Information, Cardholder Facial Image. But problem is located in the OpenSC lib and how it works with NEO! This lib can't work with objects(e.g. key files, photos or etc) that is needed by Truecrypt/Veracrypt, so we(all who want this stuff to work) need to ask OpenSC community to fix this ! There is a lib in Internet called openpgp-pkcs11.so(or something like that, on german site), as I see through other forums it works fine with TC/VC , but is only available to Linux/Windows OSes. Beside that of course we can still use static password, but this is not "so cool" and that is! Because PKCS11 feature will not give all benefits as by TC/VC it is used only like a file container for key file(e.g. like flash drive, but with PIN and read-only), so it can be stolen same way like your static password

About questions 1-2-3-4:
-- I have understood that there is 3 applets that depends on slot 1/2 + 2 applets (PIV and PGP) that depends on 2005bytes of data for 5 slots, right? May I use both PGP and PIV or only one of them?
-- If one of slots is busy with static password, can I use second one for multiple purposes like PAM Challenge-Response for OS X + same Challenge-Response for other sites through Android Authenticator ?

Thanks in advance

Oh, and one more small question - can I change which slot to "see" through NFC from my phone? Or only to reprogram it from my computer?

Ideal way to use my single key:
1 - static pass
2 - PAM auth for OS X(or other OSes)
3 - challenge-response for some sites(google, dropbox and etc?)
4 - CCID applet (will decide later which to use PGP or PIV)

Hello,

I'll partially reply your thread. There is a lot of documentation available at developers.yubico.com and yubico.com/documentation that answers the majority of your questions.

All Yubikeys comes with 2 configuration slot for the "OTP" part. Use the Yubico Cross Platform personalization tool to configure slot 1 and 2.
Your Yubikey could be configured for example with:
slot 1 = Yubico OTP
slot 2 = HMAC-SHA1 CR

The CCID part of the Yubikeys allows you to talk with the applets installed on the Yubikey NEO. OpenPGP OATH and PIV. The configuration slot have nothing to do with these applets.
Using U2F does not consume a configuration slot, and you can use the same Yubikeys "unlimited" amount of times for U2F registering on any service provider offering U2F.

The PIV slots are relative to the PIV applet and each of them holds the proper cert for signing, authentication etc. Read the documentation about PIV to understand the meaning of PIV "slots".

Thank you, Tom! I almost got all answers for my questions, but I want clarify some points.

I understood all about OTP part about 2 slots.
What about using OpenPGP OATH and PIV applets in parallel ? I can use only one active from them or OATH+PIV or PGP+PIV can be used at same time? (about PIV slots I understood about 9A-9E slots with 2005bytes overall data)

and in that case i can use such scenario for me:

OTP part:
slot 1: static pass for TrueCrypt and etc(like 1Password)
slot 2: HMAC-SHA1 CR for PAM with OSes
U2F part:
for gmail and sites, that support U2F
CCID part:
PIV or(and?) PGP applet
And what about YubiOATH ?

Am I right, Tom? Trying to choose most efficient scenario

And it seems that U2F is only used by Google... (plus YouTube, OpenSSH, Linux PAM and that is almost all)

Thanks for replies! And Tom, maybe you can add about TC/VC and PKCS#11 to sticky thread? As this questions I see through forum too often, but without real answers. Only about that TC is too old and about static pass or why OTP can't be used.

You can use any applet at any time, unless the NEO is busy doing something else.

For example:
You can run an SSH session authenticating yourself using the OpenPGP applet and then you can run Remote Desktop and authenticate using the PIV applet against a window server.

Sticky posts are only for HOW TO guides written properly with scoped topic. If you are willing to write one, we'll make it sticky viewtopic.php?f=26&t=919

Thank you, Tom. About HOW-TO - I will write it as soon as I can use pkcs on any of OSes(but will need some grammar help)

About applets now I understood almost all But what about free space for each of applet? PIV has 2005 bytes, PGP has 3 slots for keys as I understood, but there is must be some limitation ? and space for applets sharable or each applet has it's own protected from other applets free space?

Some answers for my questions have found here: viewtopic.php?f=33&t=1628#p6419

so there is only a few last:

1 - free space for PGP and PIV applets and if it shared or protected for each applet
2 - Can I use YubiOATH(it is U2F?) for sites that need Yubico OTP? (like this forum). Or how to get into here when I will delete Yubico OTP from slot 1?
3 - Can I use same HMAC-SHA1 CR for more then one PAM OS (like for 2-3 laptops)

Tom? Anybody? Please, just last few questions

OATH is a separate set of standards from U2F
http://www.openauthentication.org/

No you cannot use U2f or OATH for this website, yet. As i explained below OTP and smartcard are 2 separate part of the same device. There are no configuration slot on the smartcard side ...OATH, PIV, OPENPGP neither for U2F is not going to "consume" a configuration slot.

And yes your Yubikey in HMAC SHA1 can be used on multiple machine, why it wouldn't ?