Yubico Forum

Hello,

I created a pgp keypair with my Yubikey as outlined. It seemed to work as far as I knew. Today came the time to actually test it. That said, it's not behaving at all. It seems that the PIN is not being accepted properly. Below is the excerpt of my terminal while working on this. (Encryption and Auth keys edited out as I felt this was unnecessary.)

Notable things:
PIN retry counter at 0.
I unblock it successfully and use a simple password (123456) for this example.
(While not shown here, I can do a "verify" command here and the PIN retry counter will tick down to 2.)
I exit out though to do what I was hoping.
I have a file that a friend encrypted.
It's not taking the password.
Fun times.

Thanks for your time,
Weston

Arch Linux (Fully updated.)
gpg (GnuPG) 2.0.21
libgcrypt 1.5.3


➜ Downloads gpg --card-edit
gpg: enabled debug flags: memstat

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: Weston Myers
Language prefs ...: en
Sex ..............: male
URL of public key : http://sec.westonmyers.com/pgppubstore/weston+pgp@ieee.org
Login data .......: westonmyers
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 14
Signature key ....: A679 6687 3661 82F4 2A9B BE0E FAA5 D450 6A4B B09A
created ....: 2013-08-16 08:01:24
Encryption key....: [REDACTED]
created ....: 2013-08-16 08:01:24
Authentication key: [REDACTED]
created ....: 2013-08-16 08:01:24
General key info..:
pub 2048R/6A4BB09A 2013-08-16 Weston L Myers (No trees were killed to send this message; however, a large number of electrons were terribly inconvenienced...) <weston+p
gp@ieee.org>
sec> 2048R/6A4BB09A created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001
ssb> 2048R/493D77FB created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001
ssb> 2048R/A42FF1AE created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001

gpg/card> unblock
gpg: OpenPGP card no. D2760001240102000000000000010000 detected
PIN changed.

gpg/card> list

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: Weston Myers
Language prefs ...: en
Sex ..............: male
URL of public key : http://sec.westonmyers.com/pgppubstore/weston+pgp@ieee.org
Login data .......: westonmyers
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 14
Signature key ....: A679 6687 3661 82F4 2A9B BE0E FAA5 D450 6A4B B09A
created ....: 2013-08-16 08:01:24
Encryption key....: [REDACTED]
created ....: 2013-08-16 08:01:24
Authentication key: [REDACTED]
created ....: 2013-08-16 08:01:24
General key info..:
pub 2048R/6A4BB09A 2013-08-16 Weston L Myers (No trees were killed to send this message; however, a large number of electrons were terribly inconvenienced...) <weston+p
gp@ieee.org>
sec> 2048R/6A4BB09A created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001
ssb> 2048R/493D77FB created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001
ssb> 2048R/A42FF1AE created: 2013-08-16 expires: 2014-08-16
card-no: 0000 00000001

gpg/card> quit
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks
➜ Downloads gpg -v -o doc.txt --decrypt signed_6A4BB09A_encrypted.acs
gpg: enabled debug flags: memstat
Version: GnuPG v1.4.12 (Darwin)
gpg: armor header:
gpg: public key is A42FF1AE
gpg: using subkey A42FF1AE instead of primary key 6A4BB09A
gpg: using subkey A42FF1AE instead of primary key 6A4BB09A
gpg: encrypted with 2048-bit RSA key, ID A42FF1AE, created 2013-08-16
"Weston L Myers (No trees were killed to send this message; however, a large number of electrons were terribly inconvenienced...) <weston+pgp@ieee.org>"
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks

Hello,

The issue was indeed with the Yubikey Neo OpenPGP applet on the device. This is resolved by updating the applet to the latest version. (Keys are lost at this time since import is not supported.)

Thread at the GitHub account regarding this issue.

Regards,
Weston

I am getting the same problem with firmware 3.3.0 and openpgp applet ver 1.0.8.

I tried updating the openpgp applet but i don't know the card manager keys.

I am aware of the security advisory YSA-2015-1, but it's my understanding that it should not affect encryption/decryption.

Is there a way to update the applet or fix this issue?

[Fixed]

I finally resolved the problems by unblocking the pin and changing the pin to something else. (previously i was setting the same pin after unblocking but that did not work.)

I was also getting errors with CHV2 on 'verify' command. I wasn't able to generate new keys and also getting "Conditions of use not satisfied" on some commands and couldn't authenticate SSH sessions or sign other keys... Which lead me to this tutorial http://25thandclement.com/~william/YubiKey_NEO.html that pointed out some similar issues fixed by unblocking the pin.