Yubico Forum https://forum.yubico.com/ |
|
Windows PIV logon https://forum.yubico.com/viewtopic.php?f=35&t=2771 |
Page 1 of 1 |
Author: | Sychowski [ Tue Oct 31, 2017 6:00 pm ] |
Post subject: | Windows PIV logon |
Hello, I have a few questions about the security of a PIV enabled Yubikey. Since I can see, and export the certificate stored on a Yubikey, what happens if someone exports the cert, and imports it onto a different Yubikey, or other smartcard device? Thanks |
Author: | My1 [ Tue Oct 31, 2017 7:36 pm ] |
Post subject: | Re: Windows PIV logon |
the cert alone wont help. the cert is essentially just the public key along with some extra data, which the computer uses to trust this key. on authentication the smartcard shows its certificate which tells the computer that this is a valid cert for that specific user (or not) and when it is a valid cert, the user gets prompted to enter their PIN, and that for one specific reason: A signature upon a challenge with the private key for that public key. trying to remove a bit of digital speech of this, the computer gives the yubi a document which says "yes I want to sign in this user." (and some extra stuff). and the key will now sign this document. when the signed document comes back to the computer it will check that the document hasnt been altered and the signature fits the public key from that certificate. if everything is okay (the certificate fits the user, the computer trust whoever signed that certificate, the signature of the challenge is okay and so on) AND ONLY THEN, the user will be signed in. -------------------------------- so to shorten this: no, the certificate alone wont be enough. you need the private key itself (which you certainly cannot get out of the yubi, so if you have a backup keep it safe, if the key was made on the Yubi itself, the key cannot be extracted from anywhere (BUT: there are weak key generators in some keys) or the ability to sign anything with the private key, which requires your PIN. and with at least 4 digits on older and 6 digits on newer keys and only 3 tries before the thing locks down, an attacker wont be able to do anything quickly. |
Author: | Sychowski [ Tue Oct 31, 2017 10:30 pm ] |
Post subject: | Re: Windows PIV logon |
Very nice reply, that helps a lot. I am still learning about PKI. Thank you very much. |
Author: | My1 [ Wed Nov 01, 2017 12:15 am ] |
Post subject: | Re: Windows PIV logon |
No problem, nice to be able to help. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |