Deploying YubiKey FIPS (4 Series) in FIPS-Approved Mode

When using a YubiKey FIPS (4 Series) device as an authenticator in a FIPS environment, all of the sub-modules must be in a FIPS-approved mode of operation for the YubiKey FIPS (4 Series) device as a whole to be considered as operating in a FIPS-approved mode. By default, not all of the sub-modules on the YubiKey FIPS (4 Series) device are in a FIPS mode of operation. The Crypto Officer deploying the YubiKey FIPS Series (4 Series) device in a secured environment must define and supervise an initialization and delivery process which ensures that each sub-module on the YubiKey FIPS (4 Series) device is in a FIPS-approved mode of operation before being deployed to the user.

The sub-modules on the YubiKey FIPS (4 Series) device must be configured in a FIPS-approved mode; this can be done using the YubiKey Manager Command Line Interface (CLI) available in the downloads for Windows and macOS at https://www.yubico.com/products/services-software/download/yubikey-manager/.

The PIV and OpenPGP sub-modules have their respective credentials set to default values, and as such are already in a FIPS-approved mode. The OTP, OATH and U2F sub-modules must all have their respective credentials set to be in a FIPS mode. The YubiKey Manager can verify the YubiKey FIPS (4 Series) device is in a FIPS-approved mode of operation with the command:

ykman info

However, it is highly recommended that all of the credentials across all of the sub-modules are changed from the default values before the YubiKey FIPS (4 Series) device is deployed to the end user.

**Credentials and allowed values**
Sub-module	Credential	Allowed Values	Credential owner
One Time Password (OTP)	Access Code: OTP Slot 1	6 byte access codes	Crypto Officer
	Access Code: OTP Slot 2	6 byte access codes	Crypto Officer
OATH	Authentication Key	14-64 byte HMAC SHA1/SHA256 key	Crypto Officer
PIV Smart Card	Management Key	3-key TDES key	Crypto Officer
	PUK	6-8 byte PIN	Crypto Officer
	PIN	6-8 byte PIN	Authenticated User
OpenPGP Smart Card	Admin Password (PW3)	8 to 127 byte PIN	Crypto Officer
	Reset Code (RC, Optional)	8 to 127 byte PIN	Crypto Officer
	User Password (PW1)	6 to 127 byte PIN	Authenticated User
U2F	PIN	6 to 32 byte PIN	Crypto Officer

One Time Password (OTP)

The YubiKey FIPS OTP sub-module supports 2 independent OTP configurations, known as OTP slots. The OTP slots can be configured to output an OTP created with the Yubico OTP or OATH-HOTP algorithm, a HMAC-SHA1 hashed response to a provided challenge or a static password. The OTP slot 1’s output is triggered via a short touch (1~3 seconds) on the gold contact and the OTP slot 2’s is triggered via a long touch (+3 seconds).

A 6 byte access code can be set on slot 1 and slot 2 independently. Once set, the OTP slot’s access code is required when modifying, overwriting or deleting the configuration on the respective OTP slot. By default, the YubiKey is shipped without any access code.

Placing the OTP Sub-Module in FIPS-Approved Mode

Each OTP slot must be locked down with a Access Code for the YubiKey FIPS OTP sub-module to be in a FIPS-approved mode of operation. By default, no Access Codes are set for either slot.

An Access Code must be applied to either OTP slot either when writing a new configuration or by updating the configuration in an OTP slot where one is already present. An Access Code cannot be set to an empty OTP slot. To secure an unused OTP slot, a blank OTP configuration with an Access Code must be used.

YubiKey FIPS (4 Series) devices must either be deployed with the OTP slots already set with an Access Code, or with a OTP application or service which configures the Access Code on both slots on enrollment. The OTP slot Access codes must be archived in a manner which only allows the Crypto Officer access to them, as the Access Codes are used when resetting the OTP Sub-module.

The Crypto Officer can set an Access code to the OTP slots using the YubiKey Manager Command Line Interface (CLI) available at: https://www.yubico.com/products/services-software/download/yubikey-manager/

To apply an Access Code to a new configuration using the YubiKey Manager CLI, include the flag --access-code=<access code> in the OTP configuration string. The command must be of the format:

ykman otp --access-code=<access code> [OTP configuration]

Where -

<access code> is the Access Code to be set. The Access Code must be a hexadecimal string exactly 12 characters in length (6 bytes).

[OTP configuration] is the configuration being loaded.

For full details on setting an OTP configuration using the YubiKey Manager CLI, see the YubiKey Manager documentation.

To fill a blank OTP configuration with an access code, use the command:

ykman otp --access-code=<access code> \

     chalresp <slot> 000000000000000000000000000000

Where -

<access code> is the Access Code to be set.

<slot> is either 1 or 2 (without quotes) depending on if the OTP configuration is being applied to OTP slot 1 or OTP slot 2.

To apply an Access Code to an existing configuration using the YubiKey Manager CLI, use the command:

ykman otp --access-code=<access code> settings <slot>

Where -

<access code> is the Access Code to be set.

<slot> is the OTP slot with the existing configuration to be secured.

Verifying the OTP Sub-Module is in FIPS-Approved Mode

To verify the YubiKey FIPS OTP sub-module has access codes set for both OTP slots and is in a FIPS-approved mode, use the command:

ykman otp info

Recommended OTP Settings

YubiKey FIPS OTP sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS-approved mode.

Resetting the OTP Sub-Module

To reset the YubiKey FIPS OTP sub-module, both OTP Slot 1 and OTP Slot 2 must be independently have their loaded configuration and encryption keys deleted. This process cannot be reversed and the OTP configurations or secrets cannot be recovered or restored. Resetting the OTP slots will remove the access code as part of the configurations for either OTP slot. To delete the configuration in an OTP slot, use the command:

ykman otp --access-code=<access code> delete <slot>

Where -

<slot> is slot being deleted.

<access code> is the access code for that slot. The Access Code must be provided for deleting the slots, which should be recorded and accessible by the Crypto Officer.

This command must be run for both slots to reset the YubiKey FIPS OTP sub-module.

User Entered Data

The YubiKey FIPS OTP sub-module will only accept user data in specific formats and lengths, dependent on the OTP configuration. The user supplied data is used to generate the OTPs supplied by the sub-module.

YubiOTP

The YubiOTP configuration will accept data in the following formats and lengths:

Public ID - 1-16 byte modhex string, default 6 bytes (12 characters)

Private ID - 6 byte hexadecimal string

AES key - 16 byte hexadecimal string

The generated OTP codes contain the characters of the Public ID as entered, followed by a 32 character string generated as a hash of the Private ID with counter, time stamp and randomly generated data, encrypted with the provided AES key.

OATH-HOTP

The OATH-HOTP configuration will accept data in the following formats and lengths:

Token Identifier - Optional 6 byte string composed of either modhex or numeric characters (12 characters).

Moving factor seed - 8 byte decimal value

Secret key - 20 byte hexadecimal string

The generated OTP codes contain the characters of the Token Identifier as entered if included, followed by a 6 or 8 digit numeric string generated as a truncated hash of the Secret key with the counter.

Challenge-Response

The Challenge-Response configuration will accept data in the following formats and lengths:

Secret key - 20 byte hexadecimal string

The generated responses consist of a 40 character hexadecimal string generated as a HMAC-SHA1 hash of the supplied challenge and the Secret key.

Static Password

The Static Password configuration will accept data in the following formats and lengths:

Password - A string of up to 38 characters as defined by the keyboard scan code ID.

The generated Static Password codes contain the characters as programed, provided that the host system is using the same keyboard layout as the system the password was programmed on.

OATH

The YubiKey FIPS OATH sub-module supports up to 32 OATH credentials, either OATH-HOTP or OATH-TOTP, as defined in the OATH Specification. The Yubico Authenticator is used to add or remove credentials, retrieve generated codes and optionally set an authentication key in the YubiKey FIPS OATH sub-module.

A 14 - 64 byte Authentication key can be set on the OATH sub-module. Once set, the Authentication Key is required when adding, deleting and generating OATH credentials.

Placing the OATH Sub-Module in FIPS-Approved Mode

Access to the YubiKey FIPS OATH sub-module must be protected with an Authentication Key for the sub-module to be in a FIPS-approved mode of operation. By default, no Authentication Key is set.

The Crypto Officer can set Authentication Key using the YubiKey Manager Command Line Interface (CLI) available at https://www.yubico.com/products/services-software/download/yubikey-manager/.

To set an Authentication Key using the YubiKey Manager CLI, use the command:

ykman oath set-password -n <Authentication Key>

Where <Authentication Key> is the Authentication Key to be set. The Authentication Key must be an alphanumeric string between 14 and 64 characters in length.

Verifying the OATH Sub-Module is in FIPS-Approved Mode

Use the YubiKey Manager CLI to verify the YubiKey FIPS OATH sub-module is protected with an Authentication Key and in a FIPS-Approved mode. This can be done with the command:

ykman oath info

Recommended OATH Settings

YubiKey FIPS OATH sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS-approved mode.

Resetting the OATH Sub-Module

The YubiKey FIPS OATH sub-module can be reset using the YubiKey Manager CLI. To reset the YubiKey FIPS OATH sub-module, use the command:

ykman oath reset

Resetting the YubiKey FIPS OATH sub-module will remove all loaded OATH credentials, after which they cannot be recovered or restored, as well as the Authentication Key.

User Entered Data

The YubiKey FIPS OATH sub-module will only accept user data in specific formats and lengths, dependant on the OTP configuration. The user supplied data is used to generate the OATH OTPs supplied by the sub-module, as well as identify each loaded credential.

The OATH configuration will accept data in the following formats and lengths:

Name - 64 byte character string composed of alphanumeric characters.

Secret key - 20 byte base32 string

The Name can be displayed, along with a 6 or 8 digit numeric string generated as a truncated hash of the Secret key with the timestamp or counter, depending on the algorithm used.

PIV Smart Card

The YubiKey FIPS PIV sub-module implements a PIV compatible standard as defined in the NIST SP 800-73-4 publication. Access to functions on the YubiKey FIPS PIV sub-module are restricted by the Management Key, the PIN and the PUK.

The Management key is used for:

Importing or generating asymmetric key pairs

Importing x.509 certificates and associated information

Setting the retry counters for PIN (also requires PIN) and PUK

The PIN is used to:

Perform cryptographic operations using private keys

Changing the PIN

The PUK is used to:

Unblock and set a new PIN for a blocked PIN

Change the PUK

The YubiKey FIPS PIV sub-module has the default values:

Management Key (010203040506070801020304050607080102030405060708)

PIN (123456)

PUK (12345678)

Placing the PIV Sub-Module in FIPS-Approved Mode

By default the YubiKey FIPS PIV sub-module in the FIPS-Approved mode of operation. To change the default Management Key, PIN and PUK, follow the guidance in section 2.3.4 (Recommended PIV Settings) below to secure the sub-module.

Verifying the PIV Sub-Module is in FIPS-Approved Mode

The YubiKey FIPS PIV sub-module is always in a FIPS-Approved Mode as the Management Key, PIN and PUK are never undefined.

Recommended PIV Settings

YubiKey FIPS (4 Series) devices should be deployed using a credential management tool like Microsoft ADCS with YubiKey mini-driver or 3rd party. The credential management tool will replace the default values by automatically setting a random value for the management key and PUK, and allow the end user to define the PIN.

If the YubiKey FIPS PIV sub-module is not being managed with a credential management tool, the Management Key, PIN and PUK must be changed by the Crypto Officer. To do so, the YubiKey Manager Command Line Interface (CLI) available at https://www.yubico.com/products/services-software/download/yubikey-manager/ can be used.

To change the Management Key, use the command:

ykman piv change-management-key \
      -m010203040506070801020304050607080102030405060708 \
      -n<management key>

Where <management key> is the new management key.

To change the PIN, use the command:

ykman piv change-pin -P123456 -n<PIN>

Where <PIN> is the new PIN.

To change the PUK, use the command:

ykman piv change-puk -p12345678 -n<PUK>

Where <PUK> is the new PUK.

Resetting the PIV Sub-Module

The YubiKey FIPS PIV sub-module can only be reset if both the PIN and the PUK are blocked due to failed authentication attempts exceeding their retry counters. Once the PIN and PUK are blocked, the YubiKey FIPS PIV sub-module can be reset using the YubiKey Manager CLI with the command:

ykman piv reset

Once reset, all data within the YubiKey FIPS PIV sub-module (keys, certificates and information in other data objects) will be removed and cannot be recovered. The only exception is the attestation certificate, which will persist. Resetting the YubiKey FIPS PIV sub-module will restore the Management Key, PIN and PUK to the default values.

User Entered Data

The YubiKey FIPS PIV sub-module can be configured to hold up to 12 user uploaded x509 certificates in DER format with a maximum size of 3052 bytes each, along with associated user Data Objects. It also has 15260 bytes available for storing Certificate Chain Certificates (root and intermediate certificates).

The YubiKey FIPS PIV sub-module will accept data in the formats defined by NIST in Special Publication 800-73-4.

OpenPGP Smart Card

The YubiKey FIPS OpenPGP sub-module implements the OpenPGP card 2.0 specification. The functions on the OpenPGP sub-module are secured with User Password (PW1), Admin Password (PW3) and optionally the Reset Code (RC).

The Admin Password (PW3) is used for:

Importing or generating asymmetric key pairs

Reading from or writing to admin data objects

Unblocking the User Password (PW1)

Setting the Reset Code (RC)

Setting the retry counters for PW1 and PW3

The User Password (PW1) is used for:

Performing cryptographic operations using private keys

Reading from or writing to user data objects

The Reset Code (RC) is used for:

Unblocking the User Password (PW1)

The YubiKey FIPS OpenPGP sub-module has default values:

User Password (PW1) (123456)

Admin Password (PW3) (12345678)

The Reset Code (RC) is optional and does not have a default value.

Placing the OpenPGP Sub-Module in FIPS-Approved Mode

By default, the YubiKey FIPS OpenPGP sub-module is in the FIPS-Approved mode of operation. To change the default User Password, Admin Password or set a Reset Code, follow the recommended OpenPGP settings to secure the sub-module.

Verifying the OpenPGP Sub-Module is in FIPS-Approved Mode

The YubiKey FIPS OpenPGP sub-module is always in a FIPS-Approved Mode as the Admin Password and User Password are never undefined.

Recommended OpenPGP Settings

YubiKey FIPS (4 Series) devices should be deployed using an OpenPGP application, such as GPG4Win, on Windows for OpenPGP card management.

The User Password (PW1) and Admin Password (PW3) must be changed from the default values. For more details on the process to change the User Password (PW1) and Admin Password (PW3) or to set a Reset Code (RC), refer to the GnuPG man pages.

Resetting the OpenPGP Sub-Module

The YubiKey FIPS OpenPGP sub-module can be reset at any time. YubiKey FIPS OpenPGP sub-module can be reset using the YubiKey Manager CLI with the command:

ykman openpgp reset

Once reset, all data within the YubiKey FIPS OpenPGP sub-module (keys and information in data objects) will be removed and cannot be recovered. Resetting the YubiKey FIPS OpenPGP sub-module will restore the Admin Password and User Password to the default values, and will remove the Reset Code if set previously.

User Entered Data

The YubiKey FIPS OpenPGP sub-module can be configured to hold a single OpenPGP RSA key with 3 subkeys, imported by the user. The user supplied data is used to provide associated information about the stored PGP key.

The OpenPGP configuration will accept data in the following formats and lengths:

Key - One RSA key, up to 4096 bits (limited to 2048 on the FIPS series devices), also including the following data objects:

Name - 255 character UTF-8 string

Email - 255 character UTF-8 RFC2822 mail name-addr string

Comment - 255 character UTF-8 string

Language - 2 to 8 byte string as defined by ISO 639

Sex - 1 byte string as defined by ISO 5218

Authentication key - One RSA sub-key, up to 4096 bits (limited to 2048 on the FIPS series devices)

Encryption key - One RSA sub-key, up to 4096 bits (limited to 2048 on the FIPS series devices)

Signing key - One RSA sub-key, up to 4096 bits (limited to 2048 on the FIPS series devices)

The listed data objects can be displayed when accessing the OpenPGP Applet, and are included in the OpenPGP public key when generated and exported.

U2F

The YubiKey FIPS U2F sub-module supports the FIDO U2F standard as defined by the FIDO Alliance U2F Specification. In addition to the functionality detailed by the FIDO U2F specification, the YubiKey FIPS U2F sub-module allows setting an Admin PIN.

Note

When set, the Admin PIN is required to register the U2F sub-module to new FIDO U2F services or accounts. Authentication to those services afterwards does not require the Admin PIN to be supplied.

Placing the U2F Sub-Module in FIPS-Approved Mode

For the YubiKey FIPS U2F sub-module to be in a FIPS-approved mode of operation, an Admin PIN must be set. By default, no Admin PIN is set. Further, if the YubiKey FIPS U2F sub-module has been reset, it cannot be set into a FIPS-approved mode of operation, even with the Admin PIN set.

To set or change the Admin PIN, the YubiKey Manager Command Line Interface (CLI) must be used. To set an Admin PIN using the YubiKey Manager CLI, use the command:

ykman fido set-pin --u2f -n <Admin PIN>

Where <Admin PIN> is the Admin PIN to be set. The Admin PIN must be a alphanumeric string between 6 and 32 characters long.

To register a FIPS YubiKey locked with an Admin PIN, the YubiKey must first be unlocked on the host computer where the U2F registration will occur. Once unlocked, the FIPS YubiKey will allow U2F registrations until power-cycled, at which point the Admin PIN must be provided again. To unlock the U2F registration function, use the YubiKey Manager CLI with the command:

ykman fido unlock -P <Admin PIN>

Verifying the U2F Sub-Module is in FIPS-Approved Mode

Use the YubiKey Manager CLI to verify the YubiKey FIPS U2F sub-module is in a FIPS-Approved mode. This can be done with the command:

ykman fido info

If the Admin PIN is set and the YubiKey FIPS U2F sub-module has not been reset previously, then the command will indicate the U2F sub-module is in the FIPS-approved mode.

Recommended U2F Settings

YubiKey FIPS U2F sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS-approved mode.

Warning

The FIDO U2F Standard does not support the user entering a U2F Admin PIN at registration currently.

Resetting the U2F Sub-Module

The YubiKey FIPS U2F sub-module can be reset using the YubiKey Manager CLI. To reset the YubiKey FIPS U2F sub-module, use the command:

ykman fido reset

Resetting the YubiKey FIPS U2F sub-module will regenerate the U2F key wrapping key and thus disabling all the U2F credentials associated with the device. The device cannot be used to authenticate to previously registered U2F services or accounts. During the reset process, the U2F attestation certificate will be overwritten with a hard-coded, self-signed attestation certificate.

Warning

Resetting the YubiKey FIPS U2F sub-module will prevent the sub-module to be set to the approved FIPS mode of operation afterwards. This in turn will prevent the YubiKey FIPS (4 Series) device from being set into the FIPS-approved mode overall, and it can no longer be deployed as a FIPS authenticator. Further, some U2F sites or services may not support the replacement self-signed attestation key due to requiring an attestation certificate with an verified chain to a trusted root. For U2F sites or services where this is a requirement, the reset YubiKey FIPS U2F sub-module will not be able to register or authenticate to them.

User Entered Data

The YubiKey FIPS U2F sub-module does not accept any user data which can be extracted. All keys and associated data are generated internally and only exposed to the associated service being authenticated.

U2F Attestation

The YubiKey FIPS U2F sub-module contains an attestation certificate as part of the U2F specifications. The U2F Attestation certificate for FIPS series devices with firmware 4.4.5 and above includes an Object Identifier (OID) indicating that the hardware has been FIPS 140-2 certified. The OID value for FIPS Series YubiKeys will be 1.3.6.1.4.1.41482.12. This OID may be used during U2F registration to confirm the YubiKey being registered is a valid FIPS device by having the relying party include an attestation signature as part of the registration, then checking for this string.