Yubico Forum

The OpenPGP card applet in the Yubikey NEO only supports 2048 bit RSA keys. Is there any plan to support larger keys and EC keys?

"opensc-tool --list-algorithms" indicates that the Yubikey NEO is capable of:


Is there any plan to accommodate larger key sizes in the hardware, such as 4096 bit RSA?

.

No, only 2048.

No plans for more currently.

_________________
-Tom

Don't trust OpenSC on this - it is apparently wrong. It seems that 2048+ RSA is not supported by the card (I wish it did 3k) and ECC requires more work on GnuPG side, still. Non-NIST curves in GnuPG is another problem point.

If you can withstand the trouble of changing your PGP keys, changes to the appelt can be done independently from Yubico.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

The Yubikey NEO is using a NXP SmartMX P5CD081, right? The hardware supports 4k RSA keys and ECC (though you're right about the GnuPG ECC/non-NIST support... no point in chasing that).

Is there any reason I'm not seeing that this couldn't be fixed in the applet?

The same way my CPU can handle (in theory) 2^64 of memory, yet it pracitcally handles a bunch of gigabytes which in turn is limited by the motherboard support and number of slots.

At least according to "public specs" the JCOP chip can't do more than 2k, maybe there is some proprietary extension in JCOP that allows to do some, but then again, you'd be able to take the "NDA your grandma" approach to get that. You can't initiate a key with a bigger bit size than 2k according to JC.

Have a look at http://www.fi.muni.cz/~xsvenda/jcsupport.html

Support for ECC is a different story.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

Hello,

Just to clear the confusion, it's based on the a700x chip from nxp (http://www.nxp.com/products/identificat ... AMILY.html) so it's limited to 2048 bit RSA and 320 bit ecc over gf(p).

/klas

Thanks for clearing that up. (I'm sorry for muddying the waters; I was working off of what the NXP TagInfo app reported.)

The OpenPGP applet doesn't have ECC support, let alone for 320-bit keys.

The PIV applet depending on which version you have might support ECC, but only 256-bit keys. Not 320-bit keys. When will a PIV applet or similar be available that can use 320-bit ECC keys (PKCS#11/X.509)?

Is it possible to use secp256k1 curve or other 256-bit curves rather than the secp256r1 curve which is rumored to be backdoored by the NSA?

Similarly is it possible to use Koblitz or other curves at key-sizes greater than 256-bits (up to 320-bits) such as K-283, brainpoolP320r1, or brainpoolP320t1? Would the hardware support these and it's just a matter of the software (applets) to implement/use them?

I believe RSA2048, which is equivalent to 112-bit symmetric key, and ECC P-256, which is equivalent to 128-bit symmetric key, may be insufficient for some uses. For example the US Government requires key-lengths of 192 or greater for highly sensitive data. I guess this is not a requirement for most YubiKey users nor a goal of Yubico, but it would be nice to have on-par security especially if the hardware supports it and it's just a software development issue. It could also be a boon to Yubico to sell into government areas, all though this will probably need improvements in other areas as well, such as tamper-resistance.

Hello,

For the openpgp applet we've held off on ecc support since there is no spec and gnupg 2.1 is still so much in flux. When there is stable software supporting smartcard with ecc there we plan to revisit this.

For PIV only two ecc curves are defined secp256r1 and secp384r1, of those only secp256r1 can run in the Neo (since it only support curves up to 320 bit). So implementing other curves here would break with the spec and supporting software..

In experiments we've run a couple of other curves:
brainpoolp256r1
brainpoolp256t1
brainpoolp320r1
gost2001
secp256k1
secp256r1
frp256v1

other curves might work as well, though not tested by us.

/klas

and as a follow-up, we've published the test applet for those curves at: https://github.com/Yubico/ykneo-curves

pull requests with more curves are ofcourse welcome.

/klas