Yubico Forum

Hello,

Can the Yubikey 4 do SHA2 instead of SHA1 for the HMAC challenge/response? SHA1 is considered insecure nowadays.

Thanks!

EDIT: subject updated to include [QUESTION] tag.

The attacks on SHA1 have to do with collision resistance. This means that any system relying on collision resistance should no longer be using SHA1. Digital signature schemes typically use a hash function to get a fixed-length value to sign, and that relies very much on collision resistance for security (as the Ars article points out).

However, the challenge-response mechanism in the YubiKey uses HMAC-SHA1. HMAC does NOT rely on collision resistance (this has actually been formally proven), and is thus not affected by this problem at all. HMAC-SHA1 is still considered secure.

The slot based challenge-response credentials use HMAC-SHA1, and we have no plans on changing this. However, the OATH applet available on the YubiKey NEO as well as YubiKey 4 provides HMAC-SHA256 in addition to HMAC-SHA1 (the YubiKey 4 even supports HMAC-SHA512 as well), but this applet needs to be invoked in a different way compared to the standard slots. For more information on that, go here: https://developers.yubico.com/ykneo-oath/Protocol.html

Thanks for the reply, dain. Your argument that HMAC-SHA1 is still secure makes sense and I am comfortable with that.

Can the Yubikey 4 really do plain HMAC-SHA256? It seems that ykneo-oath would insist on including an incrementing counter in the hash. If you're curious, I'm exploring the use of deterministic password generation for website logins: HMAC(domain-name, seed-stored-in-yubikey).

Yes, you can do this with the YubiKey 4 or NEO. You have to store the key as a TOTP credential, which does not have a counter. Instead TOTP uses the current time as the challenge, which is passed to the YubiKey from the host PC. To do "plain" HMAC-SHA256 you would use the CALCULATE command, pass in your challenge, and specify that you want the full (non-truncated) response.