Introduction

Scope

The aim of this document is to describe how to configure and use the YubiKey 5 in a mode such that it is compliant with CSPN (“Certificat de Sécurité de Premier Niveau” [RD1]).

For each YubiKey application which will require specific configuration, there will be a short introduction, followed by the required settings to achieve the target, and finally, a technical description of the configuration itself.

References

Code Document title Reference
[RD1] Certification de sécurité de premier niveau des technologies de l’information https://www.ssi.gouv.fr/administration/produits-certifies/cspn/
[RD2] Certification Report BSI-DSZ-CC-0879-V4-2020 https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/0879_0879V2_0879V3_0879V4.html
[RD3] FIDO2: WebAuthn & CTAP https://fidoalliance.org/fido2/
[RD4] NIST Special Publication 800-73 (PIV) https://csrc.nist.gov/publications/detail/sp/800-73/4/final
[RD5] RFC 4226, An HMAC-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc4226
[RD6] T/Key: Second-Factor Authentication From Secure Hash Chains https://arxiv.org/pdf/1708.08424.pdf
[RD7] Universal 2nd Factor (U2F) Overview https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html
[RD8] W3C WebAuthn standard https://www.w3.org/TR/webauthn-2/
[RD9] YubiKey CSPN security target https://www.ssi.gouv.fr/uploads/2021/09/anssi-cible-cspn-2021_18en.pdf

Acronyms

Acronym Description
2FA Two-Factor Authentication
AES Advanced Encryption Standard
BSI Bundesamt für Sicherheit in der Informationstechnik
CC Common Criteria
CCID Chip Card Interface Device
CSPN Certificat de Sécurité de Premier Niveau
CTAP2 Client to Authenticator Protocol v2
DES Data Encryption Standard
FIDO Fast Identity Online
HMAC Hash-Based Message Authentication Code
HOTP HMAC-Based One Time Password
NIST National Institute of Standards and Technology
OATH Open AuTHentication
OTP One Time Password
PIV Personal Identity Verification
PBKDF2 Password Based Key Derivation Function
PIN Personal Identification Number
PIV Personal Identity Verification
PUK PIN Unblocking Key
SHA Secure Hash Algorithm
TOTP Time-Based One Time Password
U2F Universal Second Factor
RFC Request For Comments
W3C World Wide Web Consortium

To get in touch with Yubico Support, click here.