Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:28 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Nov 17, 2015 3:12 am 
Offline

Joined: Thu Oct 16, 2014 11:51 pm
Posts: 82
I saw the announcement of the Yubikey 4 and Yubikey 4 nano products earlier today:
https://www.yubico.com/2015/11/4th-gen-yubikey-4/
https://www.yubico.com/2015/11/yubico-docker-codesign/
https://www.yubico.com/products/yubikey ... /yubikey4/

1. Out of curiosity, what were the hardware changes made between the NEO/NEO-n and the 4/4-n that allowed for RSA 4096-bit keys and internal PKCS#11 signatures? And clarification: is the PKCS#11 support for docker only available in the 4/4-n models?

2. Also, is the lack of NFC capability on the Yubikey 4 due to having to source hardware from sources other than NXP? If not, what is the reason?

Thanks.


Last edited by brendanhoar on Wed Dec 02, 2015 10:10 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Nov 18, 2015 1:44 am 
Offline

Joined: Wed Nov 18, 2015 1:26 am
Posts: 1
My guess is that YK4 uses a completely different chip vendor.
NEO is based the NXP A700x chip, which according to the specifications only support RSA keys up to 2048 bits.

I am sure NFC will return once NXP upgrades their chips to allow for larger RSA keys.

Note: I am not Yubico representative, so I could very well be wrong.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 02, 2015 9:33 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
I'd be also interested what is the new chip inside of Yubikey 4.

Regarding the PKCS#11: PKCS#11 is only the C interface, there is no "internal PKCS#11" signature generation. Maybe you mean the PIV applet that is compatible with PKCS#11.

Here is some info from pkcs11-tool from OpenSC using the latest Yubikey Neo (with initialized PIV applet), I'd guess it will be similar in Yubikey 4 just with the RSA-4096. Strangely it claims RSA-3072 support, but there's apparently bug in the PIV applet I guess.

Someone may try this with Yubikey 4 and post comparison (I unfortunately ordered second Neo just few days before Yubikey 4 was announced).

With latest Yubikey Neo you'll get:

Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -T

Available slots:
Slot 0 (0x1): Yubikey Neo+U2F 00 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00000000

$  pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -M

Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
  MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify

$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -t -l -p MYPIN

Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (PIV AUTH key)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors


Note that if you try to use functionality like sign/decrypt directly from pkcs11-tool, you'll need to specify exact mechanism (cipher), for some reason ECDSA signing breaks, but RSA works:

Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -m RSA-X-509 -s -l -p MYPIN <<< "Stuff to sign"

Using slot 1 with a present token (0x1)
Using signature algorithm RSA-X-509
....binary stuff...


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 02, 2015 11:20 pm 
Offline

Joined: Tue Nov 24, 2015 8:46 pm
Posts: 4
I got this..(on OSX)

Quote:
→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -T
Available slots:
Slot 0 (0x1): Yubico Yubikey 4 OTP+U2F+CCID
token label : PIV_II (PIV Card Holder pin)
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token initialized
hardware version : 0.0
firmware version : 0.0
serial num : 00000000000000


Quote:
→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -M
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify


Quote:
→ pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -t -l -p MY_PIN
Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (PIV AUTH key)
RSA-X-509: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5)
Unwrap: not implemented
Decryption (RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
1 errors


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group