Yubico Forum

My understanding is the "smart card" applet space in the chip provides a small amount of storage space. At least enough to store multiple applets plus the (very small) data they require to function such as a PGP key or the secret keys of these 2FA tokens.

Unlike RFID, NFC does have the ability to do bidirectional information transfer. The phone does indeed write the secret key to the Yubikey through NFC.

The data is stored in the smart card applet space, not in any particular NFC specific space though. That means that when someone implements it, it would be possible to use these keys on a desktop or laptop by plugging the Yubikey into a USB port in addition to reading it through NFC.

The biggest limiting factor (and it isn't much of one) is that the host device (the Android phone or the computer OS) is required to perform the time based portion of the algorithm work since the Yubikey is only powered when connected via USB or within an NFC field, and hence, it can't have an internal clock which is required to build the 2FA token for submission.

I believe all this information is accurate, but please forgive me if my understanding is imperfect and I've written something incorrectly. Hopefully we could get a +1 from someone who is an expert with all these things so you can trust my ramblings.

Again, thanks for your comments!

Just reviewing the Yubikey NEO section of the Open Source Applet page, it would be interesting to know precisely what the capacity of Yubikey NEO's smart card space is (whether quantified in kilobytes or in number of applets).

Separately, I had no idea the ability to transmit Smart Card info through either NFC or USB on a laptop/desktop could be an option. That's really impressive.

But this raises another question: How would the host system (Laptop or PC) know what info is pertinent (Slot 1 info, Slot 2, or smart card key info)? For example, with my Yubikey NEO setup, I'd insert the Yubikey into a USB port and press the button for just a second to apply the OTP function in Slot 1, a longer press for Static Password functionality in Slot 2, and a 10-second button press to regenerate a new static password (if configured to do so with the GUI personalization tool). How would I "tell" the key (or the host machine?) that an applet in the smart card space is what's relevant?

I know, these questions go beyond any call of duty here, but again, my hope is this will help bring clarity to others as well. =)

tl;dr: Think of the slot configs and the smart card applet space as two completely orthogonal functions crammed into one tiny piece of hardware.

Before the NEO, you had your standard Yubikey that could transmit slot 1 or slot 2 via USB triggered by the appropriate keypress.

If you wanted to manage PGP keys for signing and encryption, or if you had some RSA style authentication mechanism that you wanted to use, you would purchase a smart card device that could be carried around and inserted into the port on a computer when it was needed. Windows would have the drivers to support said smart card device.


Now, let's jump back to the NEO. Out of the box (bag), the NEO's smart card capabilities are completely dormant. When you insert the device into a USB port, the computer *only* sees it as a keyboard device, and only the slot 1 and 2 configuration data is available.

But, when you run the ykpersonalize app and set the mode to 82, that activates the smart card functionality. The next time you insert the Yubikey into the USB port, Windows will see the USB keyboard, but it will also see a smart card and start loading the driver for that. Similar to how it would react if you had an original Yubikey and a USB compatible Smart Card device plugged into a USB hub and then you plugged the hub into your computer.

When you touch the contact on the Yubikey, that causes the Yubikey to use the Slot 1 or 2 configuration to output keystrokes. However, if you have an application that uses the smart card API to interact with the Yubikey, it can run whatever applets are installed in the Yubikey and those applets can use the data that is associated with them. It is important to realize though, it is the host system application that drives that interaction. There is nothing the Yubikey can do to initiate a smart card applet transaction when you touch the contact. I suppose that could change one day in the future, but the current Yubikey Personalization Tool doesn't have any options to that effect.

Jumping over to the NFC and Android world now. Android has something called Intents in its event system. When an application wants to be able to handle some particular event such as an SMS being sent or received or a web link being clicked, it registers an intent for that event. When the event happens, Android offers the event up to one or all of the applications that registered intents. (I don't know exactly how it handles multiple apps in this case, but it doesn't really matter for our purposes here.)

I believe if you have no special applications (such as LastPass) installed on an Android device and you touch a yubikey to the NFC target, the event that gets spawned is a URL to the Yubikey website. However, that particular event must have enough information in it that will allow specific applications to register an intent handle the event differently. When you have an app like LastPass installed, it will become an option to handle the event when you hold the Yubikey up to the NFC target. If you have the Yubico Authenticator app installed, it will also register an intent for this event, but it appears it only registers the intent when the app is actively running (i.e. it doesn't pop up as a choice of app to run when you hold the Yubikey up to the NFC target normally).

The Yubico Authenticator does something very different when it interacts with the Yubikey NFC data though. Unfortunately, here is where my explanation breaks down because I haven't read the code and I haven't seen any tech documentation from Yubico on how they do it. But what I infer is that the Authenticator app make a different call through the NFC API to the Yubikey, passing in the current clock time, and asking it to run the Authenticator applet that is installed on the Yubikey. When that applet is run, it uses the clock time and each site key that has been stored in the applet data to generate the 2FA codes that are then returned to the Authenticator app to be displayed on the screen.

Added both https://launchpad.net/~klali/+archive/stuff and https://launchpad.net/~k-o-/+archive/globalplatform using their "Read about installing". There is no package named gpshell or even libglobalplatform. apt-get install results in nothing. apt-cache search results in nothing.
Ubuntu 12.04 LTS.

Edit:

Works fine and dandy on 13.10.

Dear all,

Is there any hope of a real walkthrough on this installation? I can't find or get .cap file from anywhere.

At the moment your instructions are borderline hostile, I mean "This software is not released by Yubico and we cannot help it if messy, hard to understand or whatever you feel about." Seriously? This is your customers we're talking about and if installing basic functionality is this difficult, then Yubico probably should do something to help.

Please let me hear your thoughts on .cap file and how to get it.

If you have Java - for example OS X - you can install applets quite easily:



This assumes that you have already switched the NEO to CCID mode and that you have a recent version of the CCID driver available, that would recognize the device. You can get one for OS X from here: https://github.com/martinpaljak/osx-ccid-installer

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

I succesfully compiled ykneo-oath and am ready to install it. But before I do so, I'd like to verify what a user on anoter forum wrote: He wrote that this would overwrite the ykneo-openpgp applet?
Is that true, and if yes, can I do something about it?
I compared the two gpinstall.txt files, and the following lines match:

but the delete commands have different AID's.

Thid is the default authentication and is supposed to be same for all NEO-s and all applets. The AID of the OATH applet is A000000527210101

If you'd be using the software from my previous post:
To delete the OATH applet:

To install a new one (with AID-s taken from the CAP file):


Maybe this helps.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

From step 2: which one of these is the "Library"?

Also, do I need to do the "mode 82" thingy and if so, could it please be included in the first post.

You could just try my utility from Github: https://github.com/martinpaljak/GlobalP ... om-openkms

It is just a single .exe to download (if you already have Java) and way easier to use compared to the sf.net tool.

If something doesn't work, I can help you debug it as well.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452