Menu
▾
▴
Re: [Opensc-devel] Clarification request regarding the support of Yubikey Neo / 4
|
From: Douglas E E. <dee...@gm...> - 2016-05-29 02:38:44
|
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 5/28/2016 3:16 PM, Jean-Pierre Münch
wrote:<br>
</div>
<blockquote
cite="mid:fed...@mu..."
type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p>Hello everyone,</p>
<p>I've searched the internet for quite some time now and couldn't
find a satisfying / understandable answer, so I figured I could
ask here.</p>
<p>I've read that the Yubikey 4 and the Yubikey Neo have a "PIV"
application which is supported via OpenSC, so I really would
like to have answers to the following (simple) questions:</p>
<ul>
<li>What is the authoritative document / website that documents
the procedure that enables the PIV application on the
Yubikeys?</li>
</ul>
</blockquote>
<br>
Getting the NEO to use the PIV application would be listed on the
yubico.com web site.<br>
Note that the Yubikey was designed to do many different
applications. Accessed by USB or NFC. <br>
<br>
<a class="moz-txt-link-freetext" href="https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html">https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html</a><br>
<a class="moz-txt-link-freetext" href="https://developers.yubico.com/PIV/Tools/YubiKey_PIV_Manager.html">https://developers.yubico.com/PIV/Tools/YubiKey_PIV_Manager.html</a><br>
<a class="moz-txt-link-freetext" href="https://www.yubico.com/why-yubico/for-individuals/computer-login/yubikey-neo-and-piv/">https://www.yubico.com/why-yubico/for-individuals/computer-login/yubikey-neo-and-piv/</a><br>
<br>
<br>
The PIV application on the NEO is designed to implement the NIST
800-73 standards<br>
Google for NIST 800-73. <br>
For PKCS#11 access really the 800-73-3 part1 and part2. <br>
<br>
The Yubikey PIV Manager or yubico-piv-tool can then be used to
generate keys on the NEO, and create certificate request and to load
certificates. You need to supply the CA. <br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/wiki/US-PIV">https://github.com/OpenSC/OpenSC/wiki/US-PIV</a><br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/wiki/PivTool">https://github.com/OpenSC/OpenSC/wiki/PivTool</a><br>
<br>
The OpenSC piv-tool is a more basic tool that can do most of the
above once you know the 3DES or AES key for the card. NIST did not
standardize the functions needed by a Card Management system, so
every vendor's card is different. The User interface for using a
card with certs and keys already installed is standardized.<br>
<br>
<blockquote
cite="mid:fed...@mu..."
type="cite">
<ul>
<li>Once the PIV application is enabled, is it possible to use
the Yubikey as a normal PKCS#11 smart card, if not what
operations (if any) are exposed via PKCS#11? (e.g. use the
PKCS#11 library for signing and decrypting stuff on-card with
RSA / ECDH / ECDSA)</li>
</ul>
</blockquote>
<br>
Yes, you can do all of these NIST defines 4 certs/keys for the
card. One for authentication, one for digital signature, RSA or
ECDH, one for decryption/encryption (if EC can do key derivation
ECDH) and a 4th cert/key that does not require a PIN, for the card
to authenticate itself. Usable for door locks for example, and can
be used over NFC. <br>
<br>
<blockquote
cite="mid:fed...@mu..."
type="cite">
<ul>
<li>Assuming you can use the Yubikey as an ordinary PKCS#11
smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool)
/ custom tool based key-import?<br>
</li>
</ul>
</blockquote>
<br>
As I said, the NIST standards left card management up to the
vendors. So generating keys, writing certificates and other objects
are not supported by the OpenSC pkcs11-tool or pkcs15-tool. You need
to use piv-tool or yubico-piv-tool. You also need to know the 3DES
or AES key of the card to do any of the card management functions.
The yubico-piv-tool can reset a NEO and load a new 3DES or AES key.
<br>
i.e. Yubikey was designed for an end user to initialize a card with
their own keys and certs. <br>
<br>
P.S.<br>
Once you get at least the authentication cert/key and a CHUID, on
the card you can use the card with windows without any otrher
software. Windows comes with a PIV driver. The yubico-piv-tool can
create a CHUID (which has a GUID.)<br>
<br>
<blockquote
cite="mid:fed...@mu..."
type="cite">
<ul>
<li> </li>
</ul>
<p>I really hope you can help me with these three questions.</p>
<p>Best Regards</p>
<p>JPM<br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. <a class="moz-txt-link-freetext" href="https://ad.doubleclick.net/ddm/clk/305295220;132659582;e">https://ad.doubleclick.net/ddm/clk/305295220;132659582;e</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
