Yubico Forum

Neo CCID And PIV Independent?
Page 1 of 1

Author:  PenguinGuru [ Tue Feb 28, 2017 6:10 pm ]
Post subject:  Neo CCID And PIV Independent?

I have been happily testing a Neo and everything is going well but I just wanted to make sure I understand the nature of CCID and PIV since I do not have any past experience with these technologies.

My understanding is that CCID is a protocol to serve PIV over USB, rather than the usual RFID connection (not sure what that protocol is). In this case, CCID would only ever really need enabled or disabled on the Neo, no other configuration should be necessary. PIV, on the other hand, uses asynchronous cryptography and can be configured by utilities like Gpg4win's Kleopatra. Once keys are loaded onto the Neo, the Neo will use the appropriate keys for the appropriate tasks, like signing software, signing emails, encrypting files, and unlocking a P.C. operating system. I understand that there are predefined key designators, which are presumably used to match the appropriate key for any given task. This justifies the limited key slot capabilities of most smartcards, since there would be human interface to select a key for use if there are multiple keys of the same key type.

All of this makes sense to me, although I have not actually set it up yet, but I have also read that YubiKey's CCID functionality is somehow independent of the PIV functionality, which I do not understand. Is this true? If so, could someone explain the relationship to me? If it's not true, I hope this information will be useful to other users in the future.

Author:  ChrisHalos [ Wed Mar 01, 2017 2:52 am ]
Post subject:  Re: Neo CCID And PIV Independent?

They are not separate. CCID = all of the smart card functionality of the YubiKey NEO or YubiKey 4:
*PIV (the PIV applet is not open-source, so there is no page for the applet... https://developers.yubico.com/PIV/Intro ... d_PIV.html)
*Yubico Authenticator (https://developers.yubico.com/ykneo-oath/)
*OpenPGP (https://developers.yubico.com/ykneo-openpgp/)

Disabling CCID mode just stops it from showing up over USB (still functions over NFC, YubiKey NEO only, this cannot be turned off). People choose to disable CCID typically if they aren't using any of these functions - less drivers to load, less possibility of compatibility issues (especially in Linux), and the LED behavior is different. You also don't have to deal with the device disconnect/connect sounds when sending an OTP (if CCID is disabled... doesn't apply to YubiKey 4).

Author:  PenguinGuru [ Thu Mar 02, 2017 6:47 pm ]
Post subject:  Re: Neo CCID And PIV Independent?

Ok, great. Thanks for clearing that up!

A couple follow-up questions, if you have the time:

  1. How many and what types of PIV slots are available? This may become apparent during configuration but I have found some conflicting information from third-party sources, perhaps a result of their configuration models. I assume the same keys would be used over the radio interface.

  2. Which, if any, of these keys are used when authenticating to the authenticator applications (e.g. Windows, Linux, Android)?

Author:  ChrisHalos [ Fri Mar 03, 2017 12:22 am ]
Post subject:  Re: Neo CCID And PIV Independent?

Answers to both are linked above and available on our developers website.

1) All information about our implementation of PIV can be found here - https://developers.yubico.com/PIV/

Information about certificate slots is here - https://developers.yubico.com/PIV/Intro ... slots.html

2) PIV / OpenPGP / Yubico Authenticator (YubiOATH applet, if you want to be specific) / U2F / OTP - these are all autonomous

ykneo-oath is the OATH applet on the NEO where the "authenticator app" credentials get stored when using Yubico Authenticator. It is not related to PIV or OpenPGP keys/certificates.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group