Yubico Forum

Hi,

I'm new to Yubikey and this area in general. In the past, I've used digital keys to authenticate remote SSH connections.

Have read about some nice setups where the private key is kept on the yubikey, so that adds another layer of security.

I've bought both a NEO and a Yubikey 4 for testing. It looks like they both have PGP functionality and PIV functionality. My intent is to use the Yubikey as a hardware based authentication for remote access to several servers I manage. (And possibly for my laptop as well.)

From my limited reading, it seems like both PGP and PIV use a series of public/private keypairs for things like authentication, encryption, and signing. In fact, they look almost identical. For practical usage, is there any real difference?

Can someone point me to a good resource to understand the difference. Or, can someone explain it here?

Thanks!

PIV uses X.509 format certs & PGP uses PGP formated certs. As far as basics I believe they are pretty similar cryptographically with public & private keys. x.509 is based around a chain of trust from trusted CA's & is the backbone of cryptography for the Internet.

PGP is centered around a web of trust. Certs are signed by various peers, hopefully by somebody you know & trust.

Generally I'd recomend going with x.509 stuff as it will be more compatible with more stuff.

If you're intent is to use it , meaning SSH, you would rather use the PGP card side, which is what is compatible with gpg-agent etc. and works quite easily (and there are multiple guides online).

I just saw it is possible to do the same with PIV, but it is not so straightforward (https://blog.josefsson.org/2015/06/16/s ... bikey-neo/ and https://developers.yubico.com/yubico-pi ... KCS11.html).

I'd expect the PIV card to be used with your browser, for example, for x509 certificate-based authentication to some websites. Or to manage sub-CAs: https://developers.yubico.com/yubico-pi ... ority.html , in general everything that involves CAs (usually not the case for SSH).

Also, when setting these things up, remember the PIV and PGP facilities are separate, that means, different PIN, PUK and admin passphrases are independent.

For secure email using Android, you have to use PGP because:

• The only way to communicate with the NEO token from the Android device is NFC.
• The only email application I know on Android that works with hardware tokens (and NFC) is K-9 Mail.
• K-9 Mail supports only PGP, and "outsources" access to the token to OpenKeychain application.
• OpenKeychain app works fine with NEO, but only with its OpenPGP applet. It cannot talk to the PIV applet.

If you use your token (Yubikey NEO or Yubikey 4) on a computer that has USB (rather than a mobile device that only offers NFC), you can use either PGP or PIV - and most email clients would be happier with PIV out of box (giving you S/MIME capabilities).

Very helpful. Thank You