Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:59 am

All times are UTC + 1 hour




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
PostPosted: Fri Oct 27, 2017 7:03 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 27
YubiKey Smart Card Minidriver
The YubiKey Smart Card Minidriver allows for the use of native Windows services to enroll
YubiKeys as smart cards, both directly by individual users, as well as with administrators
enrolling YubiKeys as smart cards on behalf of other users. For environments with just
Windows PCs, the YubiKey Smart Card Minidriver and native Windows smart card services provide the best integration of the YubiKey’s smart card functions.
Key Features:
● Use multiple authentication certificates
● Set / Change smartcard PIN via Windows GUI
● Unblock a blocked PIN
● Certificate Enrollment (add user certificate)
○ Auto-enrollment
○ MMC admin console on behalf of other users
● Set policy for touch to allow private key use
● Import certificate chains for User Certificates
● Supported Key Algorithms
○ RSA 2048-bit keys
○ Elliptic Curve Cryptography (ECC) ECDH/ECDSA-P256 keys
○ Elliptic Curve Cryptography (ECC) ECDH/ECDSA-P384 keys


Identity Device (NIST SP 800-73 [PIV])
For environments where the YubiKey Smart Card will be used with accounts on mixed
operating systems, including MacOS and Linux, the YubiKey PIV Manager should be used
across all systems. The native Windows smart card services and the YubiKey PIV Manager
should not be used in conjunction for managing the YubiKey smart card functions.

A PIV-compliant YubiKey NEO holds 4 distinct slots for certificates and a YubiKey 4 holds 24, as specified in the PIV standards document. Each of these slots is capable of holding an X.509 certificate, together with its accompanying private key. Technically these four slots are very similar, but they are used for different purposes.
Features:
● Use a single certificate of each type: Authentication, Signature, & Encryption (key management)
● Certificates using RSA 2048-bit keys


I loaded certificates using the PIV manager / PIV tool and upgraded to YubiKey Smart Card Minidriver and now I cannot see or use my certificates.
Answer: Due to the changes stated below, the YubiKey is now a container-based smart card in Windows. When enrolling certificates using the PIV manager or PIV Tool, it does not create the necessary container map for Windows to allow applications to access the certificates.
Resolution 1: Reset your YubiKey and follow the directions in the YubiKey Smart Card Minidriver Guides (https://www.yubico.com/support/knowledg ... mart-card/) for enrolling certificates.
Resolution 2:If you need to maintain cross-platform compliance, you can manually remove the YubiKey Smart Card Minidriver.
1. Open Device Manager, locate and right-click YubiKey Smart Card (under Smart cards) and select Uninstall Device (mark Delete the driver software for this device).
Block re-installation from Windows Update.
1. WinKey + R
2. type: gpedit.msc
3. Browse to Local Computer policy, Computer Configuration, Administrative Templates, System, Device Installation, Device Installation restrictions.
4. Double-click Prevent installation of the devices that match any of these device IDs
5. Click Enabled, Show Contents, click ADD, in the ADD item field type: YK4 SCFILTER\CID_59756269b657934. YK NEO SCFILTER\CID_59756269b657934e454f7233 OK, Click OK,
6. Exit gpedit.msc

Why can’t I use the YubiKey Smart Card Minidriver and Identity Device (NIST SP 800-73 [PIV]) side by side?
Answer: With the YubiKey Smart Card Minidriver, Microsoft Windows views a smart card as a container as each certificate is loaded onto the YubiKey; the Windows credential provider then reads the certificates and creates a container map on the YubiKey. Windows utilizes the container map to allow applications access to the certificates for their intended usage based on the certificate OID in the EKU field of the certificate.
(https://technet.microsoft.com/en-us/lib ... 59(v=ws.11).aspx) The Windows inbox Device (NIST SP 800-73 [PIV]) views and treats the YubiKey as a PIV-enabled smart card and identifies the YubiKey as a slot-based smart card.


I’ve recently updated my computer and Windows reports no certificates are present or the Key Set does not exist.
This is due to one of several issues:
● Your computer shows Identity Device (NIST SP 800-73 [PIV]) in Device Manager under Smart cards, and you still receive one of the errors. This is most likely due to your computer downloading a Security Update from Microsoft to resolve the ROCA Vulnerability with RSA Key Generation on affected TPMs and the update did not install properly. To resolve, complete one of the following options:
○ Open Control Panel > Programs and Features > View Installed Updates. Locate and right-click Security update for Microsoft Windows (KB4041676) and select Uninstall.
○ Open Action Center > All Settings > Update and Security > Troubleshoot > Windows Update > Run troubleshooter. When the troubleshooter completes, reboot and check for updates.
○ Update to Fall Creators Update 1709 and ensure the following update has been installed: Security update for Microsoft Windows (KB4043961).
● Your computer shows YubiKey Smart Card Minidriver in Device Manager under Smart cards, you reset your YubiKey enrolled certificates via MMC, and you still receive one of the error messages. This is most likely due to your computer downloading a Security update from Microsoft to resolve the ROCA Vulnerability with RSA Key Generation on affected TPMs, and the update did not install properly. To resolve, complete one of the following options:
○ Open Control Panel > Programs and Features > View Installed Updates. Locate and right-click Security update for Microsoft Windows (KB4041676) and select Uninstall.
○ Open Action Center > All Settings > Update and Security > Troubleshoot > Windows Update > Run troubleshooter. When the troubleshooter completes, reboot and check for updates.
○ Update to Fall Creators Update 1709 and ensure the following update has been installed: Security update for Microsoft Windows (KB4043961).
● None of the above options resolved this issue. Visit (https://www.yubico.com/support/get-support/) and open a support case. Describe your use case in as much detail as possible, and confirm you have completed all troubleshooting steps listed in this article.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group