the cert alone wont help.
the cert is essentially just the public key along with some extra data, which the computer uses to trust this key.
on authentication the smartcard shows its certificate which tells the computer that this is a valid cert for that specific user (or not) and when it is a valid cert, the user gets prompted to enter their PIN, and that for one specific reason:
A signature upon a challenge
with the private key for that public key.
trying to remove a bit of digital speech of this, the computer gives the yubi a document which says "yes I want to sign in this user." (and some extra stuff).
and the key will now sign this document.
when the signed document comes back to the computer it will check that the document hasnt been altered and the signature fits the public key from that certificate.
if everything is okay (the certificate fits the user, the computer trust whoever signed that certificate, the signature of the challenge is okay and so on) AND ONLY THEN, the user will be signed in.
--------------------------------
so to shorten this:
no, the certificate alone wont be enough.
you need the private key itself (which you certainly cannot get out of the yubi, so if you have a backup keep it safe, if the key was made on the Yubi itself, the key cannot be extracted from anywhere (
BUT: there are weak key generators in some keys)
or the ability to sign anything with the private key, which requires your PIN. and with at least 4 digits on older and 6 digits on newer keys and only 3 tries before the thing locks down, an attacker wont be able to do anything quickly.
Login
FAQ
Search
