Yubico Forum https://forum.yubico.com/ |
|
YubiKey 4 and NEO - how to use RESET code? https://forum.yubico.com/viewtopic.php?f=26&t=2147 |
Page 1 of 1 |
Author: | mouse008 [ Mon Jan 04, 2016 4:41 am ] |
Post subject: | YubiKey 4 and NEO - how to use RESET code? |
Code: gpg --card-edit has the option "4 - set the Reset Code". It appears to work, at least both tokens (NEO and 4) accept this command and prompt me for the new Reset code.The question is - where/when/how can one use it? There doesn't seem to be any application that accepts it??? Please explain how and at what circumstances that code can be used, and what its consequences are: does it just reset the PINs and PIN retry counters? Or does it wipe the entire applet content? Or...? |
Author: | SporkWitch [ Tue Sep 27, 2016 1:15 am ] |
Post subject: | Re: YubiKey 4 and NEO - how to use RESET code? |
mouse008 wrote: Code: gpg --card-edit has the option "4 - set the Reset Code". It appears to work, at least both tokens (NEO and 4) accept this command and prompt me for the new Reset code.The question is - where/when/how can one use it? There doesn't seem to be any application that accepts it??? Please explain how and at what circumstances that code can be used, and what its consequences are: does it just reset the PINs and PIN retry counters? Or does it wipe the entire applet content? Or...? I suspect it's a duress code, and will test later (came across your post while trying to find confirmation before testing practically). That is, it's _not_ one you would ever be prompted for, its purpose is rather to _immediately_ wipe the contents upon entry. Normally you have the configured number of PIN entry attempts before the card locks, followed by the configured number of PUK entry attempts to unlock and change the PIN. If I'm right, the reset code would _immediately_ wipe the contents of card, rather than requiring all those attempts. The idea is that if someone is holding a gun to your head, they can't torture the PIN out of you if you've already wiped it, and even if they have a lab capable of _trying_ to extract the keys, they wouldn't be there anymore to try. |
Author: | ChrisHalos [ Tue Sep 27, 2016 5:47 am ] |
Post subject: | Re: YubiKey 4 and NEO - how to use RESET code? |
Reset Code is set with: gpg --card-edit admin passwd 4 [follow prompts from here - you just need to know the Admin PIN at this point, which is 12345678 if you haven't changed it from the default] For a description of the Reset Code, please see the specifications that the OpenPGP applet is based off of (http://www.g10code.com/docs/openpgp-card-2.0.pdf), in particular page 15. The reset code (or "resetting code" as it's referred to in the documentation) is kind of like the Admin PIN, except the ONLY function it provides is to allow you to reset your PIN if you've locked it out. It can't be used for actually editing the card. It's intended for admins (who know the Admin PIN) to prepare the card for their user, and by providing both the PIN and the Reset Code, it gives the user control over the PIN (and the ability to reset it). If it's for personal / single-user use, the Reset Code isn't really necessary (and that's why there isn't one by default on the YubiKey). The NEO actually improperly reports that there is a Reset Code counter (look at the PIN retry counter field when you run gpg --card-status or gpg --card-edit - it's the middle number). The YubiKey 4 correctly reports this as - by default, as there is no Reset Code by default. |
Author: | SporkWitch [ Tue Sep 27, 2016 10:39 am ] |
Post subject: | Re: YubiKey 4 and NEO - how to use RESET code? |
ChrisHalos wrote: Reset Code is set with: gpg --card-edit admin passwd 4 [follow prompts from here - you just need to know the Admin PIN at this point, which is 12345678 if you haven't changed it from the default] For a description of the Reset Code, please see the specifications that the OpenPGP applet is based off of (http://www.g10code.com/docs/openpgp-card-2.0.pdf), in particular page 15. The reset code (or "resetting code" as it's referred to in the documentation) is kind of like the Admin PIN, except the ONLY function it provides is to allow you to reset your PIN if you've locked it out. It can't be used for actually editing the card. It's intended for admins (who know the Admin PIN) to prepare the card for their user, and by providing both the PIN and the Reset Code, it gives the user control over the PIN (and the ability to reset it). If it's for personal / single-user use, the Reset Code isn't really necessary (and that's why there isn't one by default on the YubiKey). The NEO actually improperly reports that there is a Reset Code counter (look at the PIN retry counter field when you run gpg --card-status or gpg --card-edit - it's the middle number). The YubiKey 4 correctly reports this as - by default, as there is no Reset Code by default. Thanks for clarifying. That said, a duress code might be something to look into in the future (it's a very practical function to have, and present on most high-end security devices, both military and civilian). |
Author: | ChrisHalos [ Tue Sep 27, 2016 6:34 pm ] |
Post subject: | Re: YubiKey 4 and NEO - how to use RESET code? |
https://github.com/Yubico/ykneo-openpgp/pull/43 |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |