.. hsm2-device-specs.rst .. _hsm2-device-specs-label: ================================ YubiHSM 2 Device Specifications ================================ Cryptographic Interfaces ========================== * PKCS#11 API version 2.40 * Yubico Key Storage Provider (KSP) to access Microsoft CNG. The KSP is provided as 64-bit and 32-bit DLLs * Full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python) Advanced Encryption Standard (AES) =================================== * 128, 192, and 256-bit keys * Support for Electronic Code Book (ECB), Cipher Block Chaining (CBC) and Counter (CCM) modes RSA ==== * 2048-, 3072-, and 4096-bit keys (with e=65537) * Signing using PKCS#1v1.5 and PSS * Decryption using PKCS#1v1.5 and OAEP Elliptic Curve Cryptography (ECC) ================================== * Curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, Ed25519 * Signing: ECDSA (all except Ed25519), EdDSA (Ed25519 only) * Derivation: ECDH (all except Ed25519) Hashing Functions ================== SHA-1, SHA-256, SHA-384, SHA-512 Key Wrap ========= Import and export using NIST-approved AES-CCM Wrap with 128-, 196-, and 256-bit keys Random Numbers =============== On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90A Rev.1 AES-256 CTR_DRBG Attestation ============ Asymmetric key pairs generated on-device may be attested using a device-specific Yubico attestation key and certificate, or using your own keys and certificates imported into the HSM. Performance ============ Performance varies depending on usage. The accompanying Software Development Kit includes performance tools that can be used for additional measurements. Example metrics from an otherwise unoccupied YubiHSM 2: * RSA-2048-PKCS1-SHA256: ~139ms * RSA-3072-PKCS1-SHA384: ~504ms * RSA-4096-PKCS1-SHA512: ~852ms * ECDSA-P224-SHA1: ~64ms * ECDSA-P256-SHA256: ~73ms * ECDSA-P384-SHA384: ~120ms * ECDSA-P521-SHA512: ~210ms * EdDSA-25519-32Bytes: ~105ms * EdDSA-25519-64Bytes: ~121ms * EdDSA-25519-128Bytes: ~137ms * EdDSA-25519-256Bytes: ~168ms * EdDSA-25519-512Bytes: ~229ms * EdDSA-25519-1024Bytes: ~353ms * AES-(128|192|256)-CCM-Wrap: ~10ms * HMAC-SHA-(1|256): ~4ms * HMAC-SHA-(384|512): ~243ms Storage Capacity ================= * All data stored as objects. 256 object slots, 126KB max total * Stores up to 127 rsa2048 or 93 rsa3072 or 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present * :ref:`hsm2-concepts-objects-label`: Authentication keys (used to establish sessions); Asymmetric private keys; Opaque binary data objects (e.g. x509 certificates); Wrap keys; HMAC keys Management =========== * Mutual authentication and secure channel between applications and the YubiHSM 2 * M of N unwrap key restore via YubiHSM Setup Tool Physical Characteristics ========================= * Form factor: nano designed for confined spaces such as internal USB ports in servers * Dimensions: 12mm x 13mm x 3.1mm * Weight: 1g Temperatures ============== * Operational range: 0°C - 40°C (32°F - 104°F) * Storage range: -20°C - 85°C (-4°F - 185°F) Host Interface =============== Universal Serial Bus (USB) 1.x Full Speed (12Mbit/s) Peripheral with bulk interface