7. PIV

7.1. Feature summary

The PIV application [RD4] can be used to authenticate, sign and decrypt. The user may, for example, use the YubiKey 5 PIV application for Windows smart card logon.

The PIV application allows for generating or importing asymmetric key-pairs (both RSA or ECC) and to store multiple X.509 certificates. In total, 24 certificate slots are available:

  • Slot 9a: PIV Authentication
  • Slot 9c: Digital Signature
  • Slot 9d: Key Management
  • Slot 9e: Card Authentication
  • Slots 82-95 (hexadecimal): Retired Key Management
  • Slot f9: Attestation

User verification under PIV is achieved with a PIN and a management key (Triple-DES or AES key) is used for various oversight functions. The PIN must be set to a value between 6 and 8 bytes, while the maximum number of retries must be set in the range of 1 to 255 with a default value of 3.

To specify how often the PIN needs to be entered in order to access the credentials in a given slot, a PIN policy should be set for that slot. This policy must be set upon key generation or when a key is imported, and cannot be changed at a later time.

In addition to requiring the PIN, the YubiKey 5 may also be configured to require physical contact of the touch sensor. Similar to the PIN policy, the touch policy must be set upon key generation or import.

7.2. CSPN Approved mode

To operate the YubiKey’s PIV application in CSPN approved mode, the PIN code, PUK code and management key must be set for the PIV application. It is imperative that the default values of these codes are also changed by the user before using the PIV application.

More details for such a configuration are described in the section below.

7.3. Technical configuration

7.3.1. YubiKey Manager for PIN configuration of PIV

The YubiKey Manager may be used for setting the PIN, PUK and management key on the YubiKey. In this scenario, a YubiKey 5 with default settings is assumed.

_images/15.png

Figure 15 - Configuring the PIN, PUK and management key for PIV

7.3.2. Changing the PIN code

The PIN is used during normal operation to authorize an action such as creating a digital signature with any of the stored keys. Entering an incorrect PIN too many times, which exceeds the retry counter, will cause the PIN to become blocked, thereby rendering the PIV features unusable. The PIN must be at least 6 characters and can contain any symbol, although for cross-platform portability it is recommended to only use decimal digits. There is a limit of 8 bytes for a PIN, which allows for up to 8 ASCII characters. By default the PIN code is set to “123456”.

The PIN code is changed by pressing the “Change PIN” button in the “Configure PINs” dialog box. The resulting popup which will appear in YubiKey Manager, is pictured below.

_images/16.png

Figure 16 - Changing the PIN code for PIV

The current (default) PIN must be changed to a new PIN with a length of 6-8 digits. The user must enter the current PIN, nominate a new PIN, confirm it, and then press the “Change PIN” button.

The default PIN code mentioned above is pre-configured for slots 9a, 9c and 9d. With regards to slot 9e, the PIN policy needs to be set to enforced with the command line tool YubiKey Manager when generating or importing the key-pair on the YubiKey 5. An example of how to set the PIN policy when using the command line tool YubiKey Manager with the parameter --pin-policy is shown below:

ykman piv generate-key --pin-policy always 9e -

7.3.3. Changing the PUK code

The PUK can be used to reset the PIN if it is ever forgotten, lost or becomes blocked after the maximum number of incorrect attempts by the user. By default the PUK is set to “12345678”.

The PUK is changed by pressing the “Change PUK” button in the “Configure PINs” dialog box. The resulting popup which will appear in YubiKey Manager, is pictured below.

_images/17.png

Figure 17 - Changing the PUK code for PIV

The current (default) PUK must be changed to a new PUK with a length of 6-8 digits. The user must enter the current PUK, the new PUK, confirm it, and then press the “Change PUK” button.

7.3.4. Changing the management key

All PIV management operations of the YubiKey require a 24 byte 3DES or AES key, known as the management key. By default the management key is set to “010203040506070801020304050607080102030405060708”. The user should explicitly set a 24 byte key (the YubiKey PIV Manager can also generate one).

The management key is changed by pressing the “Change Management Key” button in the “Configure PINs” dialog box. The resulting popup which will appear in YubiKey Manager, is pictured below.

_images/18.png

Figure 18 - Changing the management key for PIV

The current (default) management key must be changed to a new management key with a length of 48 hexadecimal digits. The user must enter the current management key, the new management key, and press the “Change management key” button.


To get in touch with Yubico Support, click here.