Yubico Forum
https://forum.yubico.com/

YubiKey 4 - cannot set PIN retry counter to desired value?
https://forum.yubico.com/viewtopic.php?f=26&t=2146
Page 1 of 1

Author:  mouse008 [ Mon Jan 04, 2016 4:36 am ]
Post subject:  YubiKey 4 - cannot set PIN retry counter to desired value?

Preface: on YubiKey NEO it works like charm:
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  90 00                                              ..
OK


On YubiKey 4 I'm getting a different result:
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  6D 00                                              m.
OK
$ gpg --card-status
Application ID ...: D2760001240102010006041398550000
Version ..........: 2.1
......
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0


Does it mean that the command to set retry counters on YubiKey 4 is not f2? What is it then?

Help would be appreciated!

Author:  Tom2 [ Tue Jan 05, 2016 12:17 pm ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

That feature is not available on the YubiKey 4

Author:  mouse008 [ Thu Jan 07, 2016 4:12 am ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

Tom2 wrote:
That feature is not available on the YubiKey 4


Wha...? Are you saying that on YubiKey 4 pin-retries is hard-coded to be "three times"?!

Author:  Tom2 [ Fri Jan 08, 2016 4:39 pm ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

That's by specification.

Open PGP

http://g10code.com/docs/openpgp-card-3.0.pdf

Author:  Uriel [ Fri Jan 08, 2016 8:32 pm ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

Tom2 wrote:
That's by specification.
Open PGP
http://g10code.com/docs/openpgp-card-3.0.pdf


Thank you for the reference. I notice that none of the OpenPGP specs (v1.0, 2.0, 3.0) actually include setting the retry counter to a specific value. They only say that at the reset it should return to the default.

However I find it very convenient and user-friendly that NEO extends this and allows me to set it to (say) 5 instead of 3, because (a) this is the policy where I employ it, and (b) it is perfectly convenient for me. So I'm very much disappointed that Yubico decided to get "strict" with Yubikey 4. There doesn't seem to be a reason (nor a need) for it.

Update
It is understandable why the standard may want to preclude users from being able to change the retry counter. Preventing the organizations that own and deploy such devices from setting whatever policy on the number of retries they see fit, seems very wrong - and I've yet to see a standard explicitly demanding this.

Author:  KenMacD [ Wed Jan 20, 2016 3:52 am ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

I agree with Uriel. With the Admin PIN this value should be able to be modified. 3 is just too risky for a password of over 30 characters.

Also is there anything to prevent malware from coming along and locking the pins?

It would be really nice if there was a way for the counter to reset with every power-off. This is the way encrypted WD My Passport drives work, and seems like it would make a brute-force attack pretty much impossible.

Author:  Tom2 [ Wed Jan 20, 2016 2:16 pm ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

We hear you guys and we thought about bringing back this feature for YK4. However, since this feature might be included in the future spec of OpenPGP, we may decide to wait to implement this conforming to the standard.

In short, we are currently waiting observing developments which will decide how we will bring this back.

Author:  KenMacD [ Wed Jan 20, 2016 4:50 pm ]
Post subject:  Re: YubiKey 4 - cannot set PIN retry counter to desired valu

Thanks Tom.

I've decided instead of generating my authentication key on the Yubikey to generate it off-key so I can create a backup just in case.

I'll keep an eye out to see how the new spec, or your implementation, will handle locked keys.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/