| Yubico Forum https://forum.yubico.com/ |
|
| [Not Resolved] Yubikey 4 - hardware changes? https://forum.yubico.com/viewtopic.php?f=4&t=2094 |
Page 1 of 1 |
| Author: | brendanhoar [ Tue Nov 17, 2015 3:12 am ] |
| Post subject: | [Not Resolved] Yubikey 4 - hardware changes? |
I saw the announcement of the Yubikey 4 and Yubikey 4 nano products earlier today: https://www.yubico.com/2015/11/4th-gen-yubikey-4/ https://www.yubico.com/2015/11/yubico-docker-codesign/ https://www.yubico.com/products/yubikey ... /yubikey4/ 1. Out of curiosity, what were the hardware changes made between the NEO/NEO-n and the 4/4-n that allowed for RSA 4096-bit keys and internal PKCS#11 signatures? And clarification: is the PKCS#11 support for docker only available in the 4/4-n models? 2. Also, is the lack of NFC capability on the Yubikey 4 due to having to source hardware from sources other than NXP? If not, what is the reason? Thanks. |
|
| Author: | crawler [ Wed Nov 18, 2015 1:44 am ] |
| Post subject: | Re: Yubikey 4 - hardware changes? |
My guess is that YK4 uses a completely different chip vendor. NEO is based the NXP A700x chip, which according to the specifications only support RSA keys up to 2048 bits. I am sure NFC will return once NXP upgrades their chips to allow for larger RSA keys. Note: I am not Yubico representative, so I could very well be wrong. |
|
| Author: | hiviah [ Wed Dec 02, 2015 9:33 pm ] |
| Post subject: | Re: Yubikey 4 - hardware changes? |
I'd be also interested what is the new chip inside of Yubikey 4. Regarding the PKCS#11: PKCS#11 is only the C interface, there is no "internal PKCS#11" signature generation. Maybe you mean the PIV applet that is compatible with PKCS#11. Here is some info from pkcs11-tool from OpenSC using the latest Yubikey Neo (with initialized PIV applet), I'd guess it will be similar in Yubikey 4 just with the RSA-4096. Strangely it claims RSA-3072 support, but there's apparently bug in the PIV applet I guess. Someone may try this with Yubikey 4 and post comparison (I unfortunately ordered second Neo just few days before Yubikey 4 was announced). With latest Yubikey Neo you'll get: Code: $ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -T Available slots: Slot 0 (0x1): Yubikey Neo+U2F 00 00 token label : PIV_II (PIV Card Holder pin) token manufacturer : piv_II token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : 00000000 $ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -M Using slot 1 with a present token (0x1) Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000 ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000 ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify MD5-RSA-PKCS, keySize={1024,3072}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify $ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -t -l -p MYPIN Using slot 1 with a present token (0x1) C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (PIV AUTH key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK SHA256-RSA-PKCS: OK Verify (currently only for RSA): testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK Unwrap: not implemented Decryption (RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK No errors Note that if you try to use functionality like sign/decrypt directly from pkcs11-tool, you'll need to specify exact mechanism (cipher), for some reason ECDSA signing breaks, but RSA works: Code: $ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -m RSA-X-509 -s -l -p MYPIN <<< "Stuff to sign"
Using slot 1 with a present token (0x1) Using signature algorithm RSA-X-509 ....binary stuff... |
|
| Author: | Jasper [ Wed Dec 02, 2015 11:20 pm ] |
| Post subject: | Re: [Not Resolved] Yubikey 4 - hardware changes? |
I got this..(on OSX) Quote: → pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -T Available slots: Slot 0 (0x1): Yubico Yubikey 4 OTP+U2F+CCID token label : PIV_II (PIV Card Holder pin) token manufacturer : piv_II token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 0.0 firmware version : 0.0 serial num : 00000000000000 Quote: → pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -M Using slot 1 with a present token (0x1) Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000 ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify MD5-RSA-PKCS, keySize={1024,3072}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify Quote: → pkcs11-tool --module $OPENSC_LIBS/opensc-pkcs11.so -t -l -p MY_PIN
Using slot 1 with a present token (0x1) C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (PIV AUTH key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK SHA256-RSA-PKCS: OK Verify (currently only for RSA): testing key 0 (PIV AUTH key) RSA-X-509: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5) Unwrap: not implemented Decryption (RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK 1 errors |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|