Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:06 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Mon Jan 04, 2016 4:36 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
Preface: on YubiKey NEO it works like charm:
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  90 00                                              ..
OK


On YubiKey 4 I'm getting a different result:
Code:
gpg-connect-agent --hex "scd apdu 00 20 00 83 08 31 32 33 34 35 36 37 38" "scd apdu 00 f2 00 00 03 0a 0a 0a" /bye
D[0000]  90 00                                              ..
OK
D[0000]  6D 00                                              m.
OK
$ gpg --card-status
Application ID ...: D2760001240102010006041398550000
Version ..........: 2.1
......
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0


Does it mean that the command to set retry counters on YubiKey 4 is not f2? What is it then?

Help would be appreciated!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jan 05, 2016 12:17 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
That feature is not available on the YubiKey 4


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 07, 2016 4:12 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
Tom2 wrote:
That feature is not available on the YubiKey 4


Wha...? Are you saying that on YubiKey 4 pin-retries is hard-coded to be "three times"?!


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 08, 2016 4:39 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
That's by specification.

Open PGP

http://g10code.com/docs/openpgp-card-3.0.pdf


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 08, 2016 8:32 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Tom2 wrote:
That's by specification.
Open PGP
http://g10code.com/docs/openpgp-card-3.0.pdf


Thank you for the reference. I notice that none of the OpenPGP specs (v1.0, 2.0, 3.0) actually include setting the retry counter to a specific value. They only say that at the reset it should return to the default.

However I find it very convenient and user-friendly that NEO extends this and allows me to set it to (say) 5 instead of 3, because (a) this is the policy where I employ it, and (b) it is perfectly convenient for me. So I'm very much disappointed that Yubico decided to get "strict" with Yubikey 4. There doesn't seem to be a reason (nor a need) for it.

Update
It is understandable why the standard may want to preclude users from being able to change the retry counter. Preventing the organizations that own and deploy such devices from setting whatever policy on the number of retries they see fit, seems very wrong - and I've yet to see a standard explicitly demanding this.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 20, 2016 3:52 am 
Offline

Joined: Mon Jan 18, 2016 8:35 pm
Posts: 5
I agree with Uriel. With the Admin PIN this value should be able to be modified. 3 is just too risky for a password of over 30 characters.

Also is there anything to prevent malware from coming along and locking the pins?

It would be really nice if there was a way for the counter to reset with every power-off. This is the way encrypted WD My Passport drives work, and seems like it would make a brute-force attack pretty much impossible.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 20, 2016 2:16 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
We hear you guys and we thought about bringing back this feature for YK4. However, since this feature might be included in the future spec of OpenPGP, we may decide to wait to implement this conforming to the standard.

In short, we are currently waiting observing developments which will decide how we will bring this back.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 20, 2016 4:50 pm 
Offline

Joined: Mon Jan 18, 2016 8:35 pm
Posts: 5
Thanks Tom.

I've decided instead of generating my authentication key on the Yubikey to generate it off-key so I can create a backup just in case.

I'll keep an eye out to see how the new spec, or your implementation, will handle locked keys.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group