Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:16 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu Aug 04, 2016 4:41 pm 
Offline

Joined: Mon Jul 25, 2016 5:11 am
Posts: 5
I have three questions related to setting up a YubiKey 4 with the yubico-piv-tool.

1) I tried to use ECCP384 on my 9a slot, but ssh was not successful. Is it possible to configure openssh to accept ECCP384, or am I limited to RSA keys if I want to use the key for ssh authentication?

2) The PIV tool seems unable to generate 4096 bit RSA keys. Are the piv slots limited to 2048 bit keys or is this a limitation of the yubico-piv-tool?

3) In the instructions for configuring the key for Android code signing (https://developers.yubico.com/yubico-pi ... gning.html) indicate slot 9a is to be used. However, the information on certificate slots (https://developers.yubico.com/PIV/Intro ... slots.html) indicate slot 9c is for "signing files and executables." Is the slot used in the Android instructions incorrect?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Aug 05, 2016 12:40 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
(1) OpenSSH 5.7 and should be able to accept ECC P-384 keys

(2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096).

(3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html)


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 08, 2016 4:20 am 
Offline

Joined: Mon Jul 25, 2016 5:11 am
Posts: 5
1) Okay, I tried again. I should clarify, the part where I fail is trying to extract the key for ssh once importing the certificate

ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e -v
debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0
debug1: label <PIV_II (PIV Card Holder pin)> manufacturerID <piv_II> model <PKCS#15 emulate> serial <my serial number?> flags 0x40d
C_GetAttributeValue failed: 18
debug1: X509_get_pubkey failed or no rsa
no keys

Looking at the man pages I see

-D pkcs11
Download the RSA public keys provided by the PKCS#11 shared
library pkcs11. When used in combination with -s, this option
indicates that a CA key resides in a PKCS#11 token (see the
CERTIFICATES section for details).

Based on that it seems ssh-keygen assumes RSA here. I'm going to dig around a bit more looking for a way to get eccp384 to work, but if that fails, I'll just use the rsa2048.

2) Okay, that makes sense.

3) Thanks, I look forward to clarification.


Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 21, 2016 4:47 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
ChrisHalos wrote:
(2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096).

Could you clarify - what's the largest RSA key that YubiKey 4 can support now? And that PIV Manager supports too?

ChrisHalos wrote:
(3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html)

Chris, the URL you referred to provides incomplete information. First, you need to add not only CHUID, but also CCC, which can be done with
Code:
yubico-piv-tool -a set-chuid -a set-ccc

Second, standard OpenSC tokend is not likely to work properly - you need an OpenSC fork https://github.com/mouse07410/OpenSC.tokend.git


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 22, 2016 4:57 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Max RSA on PIV is still currently 2048 (covered in NIST Special Publication 800-53, believe the newest public version is revision 4).

You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 29, 2016 2:43 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
ChrisHalos wrote:
Max RSA on PIV is still currently 2048 (covered in NIST Special Publication 800-53, believe the newest public version is revision 4).

Even on YubiKey 4? It won't take/generate 3072-bit RSA keys? That's a pity. It's NIST SP 800-73, and yes - the latest revision is 4 (as I understand, YubiKey implements Rev 3).

ChrisHalos wrote:
You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps.

Thank you. But it's not "most likely" (verified by extensive testing against OpenSC.tokend, Thursby PKard, and Centrify Express), and it's not "in OSX" (as Windows-8 did not like this token at all until CCC was set up). Maybe you can squeak by on Linux with "bare" OpenSC, I haven't tried that.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group