Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:54 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Jan 04, 2016 4:41 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
Code:
gpg --card-edit
has the option "4 - set the Reset Code". It appears to work, at least both tokens (NEO and 4) accept this command and prompt me for the new Reset code.

The question is - where/when/how can one use it? There doesn't seem to be any application that accepts it???

Please explain how and at what circumstances that code can be used, and what its consequences are: does it just reset the PINs and PIN retry counters? Or does it wipe the entire applet content? Or...?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 27, 2016 1:15 am 
Offline
User avatar

Joined: Fri Aug 26, 2016 5:44 pm
Posts: 25
Location: Rochester, New York, USA
mouse008 wrote:
Code:
gpg --card-edit
has the option "4 - set the Reset Code". It appears to work, at least both tokens (NEO and 4) accept this command and prompt me for the new Reset code.

The question is - where/when/how can one use it? There doesn't seem to be any application that accepts it???

Please explain how and at what circumstances that code can be used, and what its consequences are: does it just reset the PINs and PIN retry counters? Or does it wipe the entire applet content? Or...?

I suspect it's a duress code, and will test later (came across your post while trying to find confirmation before testing practically). That is, it's _not_ one you would ever be prompted for, its purpose is rather to _immediately_ wipe the contents upon entry. Normally you have the configured number of PIN entry attempts before the card locks, followed by the configured number of PUK entry attempts to unlock and change the PIN. If I'm right, the reset code would _immediately_ wipe the contents of card, rather than requiring all those attempts. The idea is that if someone is holding a gun to your head, they can't torture the PIN out of you if you've already wiped it, and even if they have a lab capable of _trying_ to extract the keys, they wouldn't be there anymore to try.

_________________
Keybase User: sporkwitch
PGP Public Key: B54A 454A 2B29 9D83 0201 CB1B C136 07BD 83A9 E927


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 27, 2016 5:47 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Reset Code is set with:

gpg --card-edit
admin
passwd
4

[follow prompts from here - you just need to know the Admin PIN at this point, which is 12345678 if you haven't changed it from the default]

For a description of the Reset Code, please see the specifications that the OpenPGP applet is based off of (http://www.g10code.com/docs/openpgp-card-2.0.pdf), in particular page 15. The reset code (or "resetting code" as it's referred to in the documentation) is kind of like the Admin PIN, except the ONLY function it provides is to allow you to reset your PIN if you've locked it out. It can't be used for actually editing the card. It's intended for admins (who know the Admin PIN) to prepare the card for their user, and by providing both the PIN and the Reset Code, it gives the user control over the PIN (and the ability to reset it). If it's for personal / single-user use, the Reset Code isn't really necessary (and that's why there isn't one by default on the YubiKey).

The NEO actually improperly reports that there is a Reset Code counter (look at the PIN retry counter field when you run gpg --card-status or gpg --card-edit - it's the middle number). The YubiKey 4 correctly reports this as - by default, as there is no Reset Code by default.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 27, 2016 10:39 am 
Offline
User avatar

Joined: Fri Aug 26, 2016 5:44 pm
Posts: 25
Location: Rochester, New York, USA
ChrisHalos wrote:
Reset Code is set with:

gpg --card-edit
admin
passwd
4

[follow prompts from here - you just need to know the Admin PIN at this point, which is 12345678 if you haven't changed it from the default]

For a description of the Reset Code, please see the specifications that the OpenPGP applet is based off of (http://www.g10code.com/docs/openpgp-card-2.0.pdf), in particular page 15. The reset code (or "resetting code" as it's referred to in the documentation) is kind of like the Admin PIN, except the ONLY function it provides is to allow you to reset your PIN if you've locked it out. It can't be used for actually editing the card. It's intended for admins (who know the Admin PIN) to prepare the card for their user, and by providing both the PIN and the Reset Code, it gives the user control over the PIN (and the ability to reset it). If it's for personal / single-user use, the Reset Code isn't really necessary (and that's why there isn't one by default on the YubiKey).

The NEO actually improperly reports that there is a Reset Code counter (look at the PIN retry counter field when you run gpg --card-status or gpg --card-edit - it's the middle number). The YubiKey 4 correctly reports this as - by default, as there is no Reset Code by default.

Thanks for clarifying. That said, a duress code might be something to look into in the future (it's a very practical function to have, and present on most high-end security devices, both military and civilian).

_________________
Keybase User: sporkwitch
PGP Public Key: B54A 454A 2B29 9D83 0201 CB1B C136 07BD 83A9 E927


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 27, 2016 6:34 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
https://github.com/Yubico/ykneo-openpgp/pull/43


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group