PIV: FIPS 140-2 with YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series provides a PIV-compatible smart card application. PIV, or FIPS 201, is a US government standard that enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver. The YubiKey Smart Card Minidriver is not available for Android, Linux, macOS or iOS.

Keys in the YubiKey 5 FIPS Series support extended APDUs, extended Answer To Reset (ATR), and Answer To Select (ATS). Using the PIV APDUs on iOS requires the Yubico iOS SDK.

For YubiKey 5 FIPS Series, some exceptions apply:

  • Do not use non-NIST-approved curves
  • Do not use the following keys:
  • RSA 1,024-bit
  • 3,072-bit keys.

This applies to Attestation as well.

  • PIN policy = none cannot be used. Select either once or always.

Default Values

  • PIN: 123456
  • PUK: 12345678
  • Management Key (3DES): 010203040506070801020304050607080102030405060708

Supported Algorithms

The YubiKey 5 FIPS Series supports the following algorithms on the PIV smart card application.

  • RSA 1024
  • RSA 2048
  • ECC P-256
  • ECC P-384

Policies

PIN Policy

To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or import; it cannot be changed later.

Touch Policy

In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or import.

Slot Information

The keys and certificates for the smart card application are stored in slots, which are described below. The PIN policies described below are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.

Slot 9a: PIV Authentication

This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for system login, etc. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9c: Digital Signature

This certificate and its associated private key is used for digital signatures for the purpose of document, email, file, and executable signing. To perform any private key operations, the end user PIN is required. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.

Slot 9d: Key Management

This certificate and its associated private key is used for encryption to assure confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9e: Card Authentication

This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.

Slots 82-95: Retired Key Management

These slots are meant for previously used key management keys to be able to decrypt earlier encrypted documents or emails.

Slot f9: Attestation

This slot is used only for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.

Attestation

Attestation enables you to verify that a key on the smart card application was generated on the YubiKey rather than being imported. An X.509 certificate for the key to be attested is created if the key has been generated on the YubiKey. Included in the certificate are the following extensions that provide information about the YubiKey.

Firmware

1.3.6.1.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.

Serial Number

  • 1.3.6.1.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
  • 1.3.6.1.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.

PIN Policy

  • 01 - never require PIN
  • 02 - require PIN once per session
  • 03 - always require PIN.

Touch Policy

  • 01 - never require touch
  • 02 - always require touch
  • 03 - cache touch for 15 seconds.

Form Factor

1.3.6.1.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.

  • USB-A Keychain: 0x01
  • USB-A Nano: 0x02
  • USB-C Keychain: 0x03
  • USB-C Nano: 0x04
  • USB-C and Lightning®: 0x05
  • Undefined: 0x00

New in YubiKey 5 FIPS Series

ATR and ATS

The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.

PIV Attestation Root CA

Keys in the YubiKey 5 FIPS Series have a PIV attestation root certificate authority different from the one previous YubiKeys had. You can download the certificate of the new root certificate authority on the PIV attestation page.

PIV/Smart Card Deployment

The YubiKey 5 FIPS Series PIV application implements a PIV-compatible standard as defined in the NIST SP 800-73-4 publication. Access to functions on the YubiKey 5 FIPS Series PIV application is restricted by the management key, the PIN and the PUK.

The management key is used for:

  • Importing or generating asymmetric key pairs
  • Importing x.509 certificates and associated information
  • Setting the retry counters for PIN (also requires PIN) and PUK

The PIN is used to:

  • Perform cryptographic operations using private keys
  • Change the PIN

The PUK is used to:

  • Unblock and set a new PIN for a blocked PIN
  • Change the PUK

The YubiKey 5 FIPS Series PIV application has the default values:

  • Management Key (010203040506070801020304050607080102030405060708)
  • PIN (123456)
  • PUK (12345678)

FIPS 140-2 Level 2: Placing the PIV Application in FIPS-approved Mode

To place the YubiKey 5 FIPS Series PIV application in the FIPS-approved mode of operation, change the default management key, PIN and PUK.

YubiKey 5 FIPS Series devices should be deployed using a credential management tool like Microsoft ADCS with YubiKey minidriver or a third party tool. The credential management tool will replace the default values by automatically setting a random value for the management key and PUK, allowing the end user to define the PIN.

If the YubiKey 5 FIPS Series PIV application is not being managed with a credential management tool, the management key, PIN and PUK must be changed by the crypto officer. To do so, the YubiKey Manager (ykman) can be used.

The ykman commands are given below. Note that in at least one case, it might be necessary to scroll horizontally to see the full command in the HTML version of this guide.

Changing the Management Key

ykman piv access change-management-key -m010203040506070801020304050607080102030405060708 / -a<algorithm> -n<management key>

where <management key> is the new management key and <algorithm> is the key type [Triple-DES, AES-128, AES-192 or AES-256].

Changing the PIN

ykman piv access change-pin -P123456 -n<PIN>

where <PIN> is the new PIN.

Changing the PUK

ykman piv access change-puk -p12345678 -n<PUK>

where <PUK> is the new PUK.