.. cspn-specifics.rst .. _cspn-specifics-label: =============================== YubiKey 5 CSPN Series Specifics =============================== .. _cspn5-mode-config-label: CSPN Mode Configuration ======================== The YubiKey 5 Series supports a variety of applications, modes, and operations. Technical descriptions of all of these are available from the `Yubico website `_. Additionally, as described in the YubiKey 5 CSPN security target [RD9], the YubiKey can also be used in a CSPN approved mode of operation. The specific configurations required to achieve a CSPN approved mode are described in the sections below, divided by application. * :ref:`cspn5-OTP-label` * :ref:`cspn5-yub-otp-label` * :ref:`cspn5-chall-resp-label` * :ref:`cspn5-stat-pass-label` * :ref:`cspn5-oath-hotp-label` * :ref:`cspn-5-oath-label` * :ref:`cspn-5-fido-u2f-label` * :ref:`fido-2-label` * :ref:`cspn-5-piv-label` For each section there is a summary of the YubiKey application, how to operate it in a CSPN approved mode, and how the the application can be technically configured. Listing the Applications on the YubiKey 5 ------------------------------------------ To obtain a list of all applications on the YubiKey 5, use ykman's command line `YubiKey Manager `_. To do so, in a command prompt, execute the command ``ykman info``. The output contains general information about the YubiKey 5, such as the current firmware version, but also all of the available applications, both enabled and disabled. The Security Domain application is hidden for the user and therefore not listed by ykman. An example of this command is shown in the screenshot below. .. figure:: graphics/1.png **Figure 1** - Example of listing the applications on a YubiKey 5 Password Strength ------------------- It is highly recommended to adhere to `ANSSI’s guidelines `_ on password strength whenever applicable, particularly with any of the YubiKey 5 applications. Configuration Environment --------------------------- Configuration of the YubiKey, can be performed in two different areas: * If the keys of an application are generated by the secured microcontroller, the YubiKey 5 is considered placed in a public area. * If the keys of an application are loaded into the secured microcontroller, the YubiKey 5 is considered placed in a secure area with restricted access. ---- .. _cspn5-OTP-label: One-Time Password - OTP ========================= The YubiKey 5 Series OTP application supports four protocols: * :ref:`cspn5-yub-otp-label` * :ref:`cspn5-chall-resp-label` * :ref:`cspn5-stat-pass-label` * :ref:`cspn5-oath-hotp-label` The configuration required to achieve CSPN-approved mode is described in the following sections. .. _cspn5-yub-otp-label: Yubico OTP ----------- Feature Summary ~~~~~~~~~~~~~~~~~ The Yubico OTP scheme is a proprietary algorithm based on symmetric AES encryption. To generate a Yubico OTP, set the following parameters: * Public ID (1-16 bytes modhex) * Private ID (6 bytes hexadecimal) * Secret Key (16 bytes) The Public ID generally represents the serial number of the YubiKey, but may be set to a different value. The Private ID is an optional secret field that may be included as an input parameter to the OTP generation algorithm. By default, when this parameter is not configured, its value is set to zero. The Secret Key is an AES-128 key must be shared, between the YubiKey 5 and the verification server by the user, during configuration of the protocol’s credentials. The touch sensor is always used when generating a Yubico OTP, and is considered part of the standard operating procedure. For more information about Yubico OTP, see `Yubico’s website, OPTs Explained `_. CSPN Approved Mode ~~~~~~~~~~~~~~~~~~~~ To operate the YubiKey 5 application Yubico OTP in a CSPN approved mode, the user must first be identified by a first factor authentication scheme. For example, username/password. The details for such an authentication scheme are beyond the scope of this document. Once a Yubico OTP application is configured, set an access code to protect the key material and configuration. More details for such a configuration are described in the following section. Technical Configuration ~~~~~~~~~~~~~~~~~~~~~~~~ In order to protect the Yubico OTP credentials, use the `YubiKey Manager `_ (ykman). To protecting the credentials, use the command: .. code-block:: bash ykman otp --access-code yubiotp --public-id --generate-private-id --generate-key Where ``--access-code`` parameter is set to a six byte long hex value. See the figure below for an example command line interaction for creating protected Yubico OTP credentials with ykman. .. figure:: graphics/2.png **Figure 2** - Example of configuring protected Yubico OTP credentials A code is now required for any operation that requires access to the Yubico OTP credentials. To **delete credentials**, use the command: ``ykman otp --access-code delete [1|2]`` To **change the settings**, use the command: ``ykman otp --access-code settings [OPTIONS] [1|2]`` For instance, it is not possible to now delete the Yubico OTP credentials without providing the correct access code. The screenshot below is another example of how to use the ykman command line for deleting protected Yubico OTP credentials. The first attempt fails because ``--access-code`` is not provided, but the second attempt succeeds when the flag ``--access-code`` is set. .. figure:: graphics/ex-del-prot-yotp-creds.png **Figure 3** - Example of deleting protected Yubico OTP credentials .. _cspn5-chall-resp-label: Challenge-Response -------------------- Feature Summary ~~~~~~~~~~~~~~~~~ The Challenge-Response protocol is based on the HMAC-SHA-1 algorithm. The relying party sends a challenge to the YubiKey 5, and the device responds with a hash of that challenge. The secret key used in the HMAC-SHA-1 is pre-loaded by the user onto the YubiKey 5 during configuration. It is also possible to configure whether touching the sensor of the YubiKey 5 is required for each Challenge-Response request. The Challenge-Response protocol is used as a second factor in the authentication process. For more information on the challenge-response YubiKey application, see `Yubico’s website, Challenge and Response `_. CSPN Approved Mode ~~~~~~~~~~~~~~~~~~~ To operate the YubiKey 5 in a CSPN approved mode: Identify the user by a first factor authentication scheme. For example, username/password. The details for such an authentication scheme are beyond the scope of this document. Set usage of the YubiKey 5 touch sensor to required when configuring the Challenge-Response application. When the Challenge-Response application is enabled on the YubiKey 5, set an access code to protect both the secret key and configuration. More details for such a configuration is described in the following section. Technical Configuration ~~~~~~~~~~~~~~~~~~~~~~~~ In order to protect the Challenge-Response credentials and enforce the touch sensor, use the command line `YubiKey Manager `_ (ykman). Use the command: ``ykman otp --access-code chalresp --touch --generate `` where - ``--access-code`` for protecting the credentials. Set the ``--access-code`` parameter to a six byte long hex value. ``--touch`` for requesting proof of user presence. See the figure below for an example command line interaction for creating protected Challenge-Response credentials requiring touch with ykman. .. figure:: graphics/ex-conf-prot-ch-resp-creds.png **Figure 4** - Example of configuring protected Challenge-Response credentials with touch sensor A code is now required for any operations that require access to the Challenge-Response credentials To **delete credentials**, use the command ``ykman otp --access-code delete [1|2]`` To **Change the settings**, use the command ``ykman otp --access-code settings [OPTIONS] [1|2]`` For instance, now it is not possible to delete the Challenge-Response credentials without providing the access code. The screenshot below is an example of how to use the ykman command for deleting protected Challenge-Response credentials. The first attempt fails because ``--access-code`` is not provided, but the second attempt succeeds when the flag ``--access-code`` is set. .. figure:: graphics/ex-del-prot-ch-resp-creds.png **Figure 5** - Example of deleting protected Challenge-Response credentials .. _cspn5-stat-pass-label: Static Password ----------------- Feature Summary ~~~~~~~~~~~~~~~~~ The static password application allows for storing a complete or partial static password. The password is replayed in the clear once the user touches the YubiKey 5 sensor. The static password is used as a second factor in the authentication process. For more information on YubiKey application for static passwords, see `Yubico’s website, Understanding Core Static Password Features `_. CSPN Approved Mode ~~~~~~~~~~~~~~~~~~~ To operate the YubiKey 5 in a CSPN approved mode, store only one portion of the password within the YubiKey 5 and keep the remaining portion of the password in a different, but also secure location. Reconstruct the complete password by combining the portion from the YubiKey with the other portion stored elsewhere. Then authenticate in conjunction with the username. The overall details for such a password splitting scheme are beyond the scope of this document. Only the portion of the password to be stored within the YubiKey 5 is described. The touch sensor is always used when displaying a portion of a static password, and is considered part of the standard operating procedure. When the static password application is configured, set an access code to protect both the static password and configuration. More details for such a configuration are described in the following section. Technical Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~ To protect the static password, use the command line `YubiKey Manager `_ (ykman). Use the command .. code-block:: bash ykman otp --access-code static --generate --length where - ``--access-code`` for protecting the static password. Set the ``--access-code`` parameter to a six byte long hex value. See the figure below for an example command line interaction for creating a protected static password with ykman. .. figure:: graphics/ex-conf-prot-static-pword.png **Figure 6** - Example of configuring a protected static password A code is now required for any operations that require access to the static password. To **delete static password**, use the command: ``ykman otp --access-code delete [1|2]`` To **change the settings**, use the command: ``ykman otp --access-code settings [OPTIONS] [1|2]`` For instance, it is not possible to now change the static password settings without providing the access code. The screenshot below is an example of how to use the ykman command line for changing the settings of a protected static password. The first attempt fails because no ``--access-code`` is provided, but the second attempt succeeds when the flag ``--access-code`` is set. .. figure:: graphics/ex-changing-prot-stat-pword.png **Figure 7** - Example of changing a protected static password .. _cspn5-oath-hotp-label: OATH-HOTP ---------- Feature Summary ~~~~~~~~~~~~~~~~~ The OATH-HOTP protocol is implemented according to RFC 4226, “HOTP: An HMAC-Based One-Time Password Algorithm”, [RD5]. The algorithm underpinning this application on the YubiKey 5 is HMAC-SHA-1. Choose the length of the OTP (either 6 or 8 digits) and the initial counter value. The OATH-HOTP protocol is used as a second factor in the authentication process. The touch sensor is always used when generating the OATH-HOTP, and is considered part of the standard operating procedure. For more information on the YubiKey application OATH-HOTP see `Yubico’s website, OATH `_. CSPN Approved Mode ~~~~~~~~~~~~~~~~~~~ To operate the YubiKey 5 in a CSPN approved mode, identify the user by a first factor authentication scheme. For example, username/password. The details for such an authentication scheme are beyond the scope of this document. When the OATH-HOTP application is enabled on the YubiKey 5, set an access code to protect the initial counter value and configuration. More details for such a configuration are described in the following section. Technical Configuration ~~~~~~~~~~~~~~~~~~~~~~~~ In order to protect the OATH-HOTP credentials, use the command line `YubiKey Manager `_ (ykman). For protecting the OATH-HOTP credentials, use the command: ``ykman otp --access-code hotp `` where ``--access-code`` is set to a six byte long hex value. An example command line interaction for creating a protected OATH-HOTP with ykman is depicted in the following screenshot. .. figure:: graphics/ex-conf-oath-hotp-creds.png **Figure 8** - Example of configuring protected OATH-HOTP credentials A code is now required for any operations that require access to the OATH-HOTP credentials. To **Delete credentials**, use the command ``ykman otp --access-code delete [1|2]`` To **Change the settings**, use the command ``ykman otp --access-code settings [OPTIONS] [1|2]`` For instance, you can no longer delete the OATH-HOTP credentials without providing the access code. The screenshot below is an example of how to use the ykman command line for deleting protected OATH-HOTP credentials. The first attempt fails because no ``--access-code`` is provided, but the second attempt succeeds when the flag --``access-code`` is set. .. Figure:: graphics/ex-del-prot-oath-hotp-creds.png **Figure 9** - Example of deleting protected OATH-HOTP credentials ---- .. _cspn-5-oath-label: OATH ====== Feature Summary ---------------- The OATH application allows for managing two types of OTP over the CCID interface: * HMAC-Based One Time Password (HOTP) * Time-Based One Time Password (TOTP) A maximum of 32 credentials [#f1]_ can be stored within the YubiKey’s OATH application. Use the software tool `Yubico Authenticator `_ to configure and use this application. A password may be set to protect the OATH credentials. If a password is configured, the password is required to unlock the application, which can then be used to generate any number of OTPs for the remainder of the session (until application is deselected). When enrolling credentials, you can configure whether touching the sensor of the YubiKey 5 is required for each OTP generation. CSPN Approved Mode ------------------- The OATH-HOTP/TOTP protocol is used as a second factor in the authentication process. To operate the YubiKey 5 in a CSPN approved mode, identify the user by a first factor authentication scheme. For example, username/password. The details for such a first factor authentication scheme are beyond the scope of this document. When the OATH-HOTP/TOTP application is enabled on the YubiKey 5, you can set a password to protect the OATH credentials. More details for such a configuration are described in the following section. Technical Configuration ------------------------ To protect the OATH-HOTP/TOTP credentials with a password, install and use the `Yubico Authenticator `_ for the configuration. To set the password, launch the `Yubico Authenticator `_ application, select File from the menu, then select the option Set Password. In the dialog box that appears, enter a new password and confirm it. This configuration protects all OATH-HOTP/TOTP credentials with the same nominated password. .. figure:: graphics/10.png **Figure 10** - Example of protecting the OATH-HOTP/TOTP credentials with a password When `Yubico Authenticator `_ is used for generating an OATH one-time password, the password must be entered each time to unlock the credentials. .. figure:: graphics/11.png **Figure 11** - Example of unlocking the OATH-HOTP/TOTP credentials .. rubric:: Footnotes .. [#f1] A credential is a configuration of the OTP linked to a unique key. ---- .. _cspn-5-fido-u2f-label: FIDO U2F ========= Feature Summary ---------------- The YubiKey 5 Series supports FIDO Universal 2nd Factor (U2F), which is defined in [RD7]. On a high level, the FIDO U2F protocol comprises both the registration and the authentication process but is only used as a second factor in the authentication process. For more information on the YubiKey application FIDO U2F see `Yubico’s website, U2F `_. CSPN Approved Mode ------------------- To operate the YubiKey 5 in a CSPN approved mode, identify the user by a first factor authentication scheme (for example, username/password) according to the FIDO U2F standard [RD7]. The details for such a first factor authentication scheme are beyond the scope of this document. As part of the registration process, the user touches the YubiKey 5 sensor when the browser or application prompts for it. The user also touches the YubiKey 5 when the browser or application requests for it during the authentication process. Technical Configuration ------------------------- No additional configuration is needed to achieve a CSPN approved mode, assuming the YubiKey 5 has been correctly enrolled against a U2F compatible relying party. ---- .. _fido-2-label: FIDO2 ====== Feature Summary ---------------- The FIDO2 protocol is an amalgamation of two standards: W3C WebAuthn (for the communication between the client and the relying party) and CTAP2 (for accessing the authenticator from the client). On a high level, the FIDO2 protocol comprises both the registration and the authentication process. FIDO2 is an update of FIDO U2F and is defined in [RD3]. It takes into account PIN management, in addition to the new standardized protocols, WebAuthn [RD8] and CTAP2. CSPN Approved Mode ------------------- The FIDO2 protocol can be used in two different CSPN modes of operation: * FIDO2 with a PIN code set on the YubiKey 5 (see :ref:`fido2-w-pin`), or * FIDO2 without a PIN code set on the YubiKey 5 (see :ref:`fido2-wo-pin`) .. _fido2-w-pin: FIDO2 With PIN Code -------------------- If WebAuthn User Verification is set to ``Required`` by the WebAuthn relying party, when registering the YubiKey 5 as a FIDO2 device, it prompts the your client to protect the FIDO2 credentials with a PIN code during the enrollment. Alternatively, you can also use the `YubiKey Manager download `_ to set a PIN code to protect the FIDO2 credentials. In both cases, the YubiKey 5 requires the PIN code for FIDO2 authentication. As part of the registration process, touch the YubiKey 5 sensor when the browser or application prompts for it. Also touch the YubiKey 5 when the browser or application requests for it during the authentication process. .. _fido2-wo-pin: FIDO2 Without PIN Code ----------------------- If WebAuthn User Verification is not enforced as recommended above, the YubiKey 5 must then be used as a second factor authentication device. To operate the YubiKey 5 in a CSPN approved mode under such a scenario, identify the user by a first factor authentication scheme. For example, username/password.The details for such a first factor authentication scheme are beyond the scope of this document. The YubiKey 5, by default, requires the sensor to be touched for this configuration. As part of the registration process, you must touch the YubiKey 5 sensor when the browser or application prompts for it. You must also touch the YubiKey 5 when the browser or application requests for it during the authentication process. Technical Configuration ------------------------ FIDO2 With PIN Code ~~~~~~~~~~~~~~~~~~~~ There are two ways to set the PIN code for the FIDO2 application on a YubiKey 5: * You can set the PIN code by using the `YubiKey Manager `_. * The relying party (server application) can request the user’s client to set the PIN code during the WebAuthn registration. By default, the touch sensor is also required for FIDO2, in addition to setting the PIN on the YubiKey. Set FIDO2 PIN Code with ykman ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Use the `YubiKey Manager download `_ to set a PIN code for the FIDO2 credentials on the YubiKey 5. When a PIN code is set, all FIDO2 credentials are protected by the same PIN code. To set the PIN code with `YubiKey Manager download `_: 1. Select the Applications from the menu. 2. Select the FIDO2 option. 3. In the GUI that appears, select the button **Set PIN**. .. figure:: graphics/12.png **Figure 12** - Configuring the FIDO2 PIN with YubiKey Manager 4. In the next popup prompt that appears, set the new PIN and confirm this PIN for the FIDO2 application. .. figure:: graphics/13.png **Figure 13** - Configuring the FIDO2 PIN with YubiKey Manager Set FIDO2 PIN Code From the Relying Party ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; The WebAuthn relying party (authentication server) can instruct a client to set the PIN code on an authenticator during the enrollment of the FIDO2 credentials. A client, according to the WebAuthn/FIDO2 specifications, is any user device that supports WebAuthn/FIDO2. In practice, this is a hardware device (smartphone, tablet, laptop, etc), an operating system (Microsoft Windows, Apple MacOS, Apple iOS, Android, Linux, etc) or a web browser (Google Chrome, Apple Safari, Microsoft Edge, Mozilla Firefox, etc). If the WebAuthn MakeCredentials parameter UserVerification is set to ``Required``, this prompts the client to set the PIN code on the YubiKey 5. The GUI for setting the FIDO2 PIN code may differ between clients. The image below is an example of using Google Chrome with Windows 10 for setting the FIDO2 PIN on a YubiKey 5. .. figure:: graphics/14.png **Figure 14** - Configuring the PIN code for FIDO2 with Windows 10 FIDO2 Without PIN Code ~~~~~~~~~~~~~~~~~~~~~~~ If the relying party has set the WebAuthn MakeCredentials parameter UserVerification to ``Discouraged``, this does not trigger the client to set any FIDO2 PIN code on the YubiKey 5. If a FIDO2 PIN is not set through `YubiKey Manager `_ and the client is not triggered to set a FIDO2 PIN, this means the FIDO credentials are not protected by a PIN. However, by default, touch is still required for using the FIDO2 credentials during WebAuthn authentication. When the PIN code is disabled for FIDO2 on the YubiKey 5, the CSPN approved mode is achieved by using a first factor authentication protocol in conjunction with the YubiKey 5 configured for FIDO2 and touch. ---- .. _cspn-5-piv-label: PIV ==== Feature Summary ---------------- The PIV application [RD4] can be used to authenticate, sign and decrypt. You can, for example, use the YubiKey 5 PIV application for Windows smart card logon. The PIV application allows for generating or importing asymmetric key-pairs (both RSA or ECC) and storing multiple X.509 certificates. In total, 24 certificate slots are available: * Slot 9a: PIV Authentication * Slot 9c: Digital Signature * Slot 9d: Key Management * Slot 9e: Card Authentication * Slots 82-95 (hexadecimal): Retired Key Management * Slot f9: Attestation User verification under PIV is achieved with a PIN and a management key (Triple-DES or AES key). This is used for various oversight functions. Set the PIN to a value between 6 and 8 bytes. Set the maximum number of retries between 1 to 255. The retries default value is 3. To specify how often the PIN needs to be entered to access the credentials in a given slot, set a PIN policy for that slot. Set this policy when generating the key or when importing a key. The policy cannot be changed later. You can configure the YubiKey 5 to require physical contact on the touch sensor, in addition to requiring the PIN. Similar to the PIN policy, set the touch policy when generating or importing a key. CSPN Approved Mode ------------------- To operate the YubiKey’s PIV application in approved CSPN mode, set the PIN code, PUK code, and management key for the PIV application. It is imperative that you change the default values of these codes before using the PIV application. More details for such a configuration are described in the following section. Technical Configuration ------------------------ YubiKey Manager for PIN Configuration of PIV ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use the `YubiKey Manager `_ for setting the PIN, PUK, and management key on the YubiKey. In this scenario, a YubiKey 5 with default settings is assumed. .. figure:: graphics/15.png **Figure 15** - Configuring the PIN, PUK, and management key for PIV Changing the PIN Code ~~~~~~~~~~~~~~~~~~~~~~ The PIN is used during normal operation to authorize an action such as creating a digital signature with any of the stored keys. Entering an incorrect PIN too many times and exceeding the retry counter, blocks the PIN and makes the PIV features unusable. The PIN must be at least 6 characters and can contain any symbol, although for cross-platform portability it is recommended to only use decimal digits. There is a limit of 8 bytes for a PIN. This allows for up to 8 ASCII characters. By default the PIN code is set to ``123456``. To change the PIN code, select the **Change PIN** button in the Configure PINs dialog box. The popup that appears in the `YubiKey Manager `_, is shown in the following figure. .. figure:: graphics/16.png **Figure 16** - Changing the PIN code for PIV Change the current or default PIN to a new PIN with a length of 6-8 digits. To do this, enter the current PIN, enter a new PIN, confirm it, and then select the **Change PIN** button. The default PIN code, ``123456``, is pre-configured for slots 9a, 9c and 9d. For slot 9e, set to enforce the PIN policy using the command line YubiKey Manager when generating or importing the key-pair on the YubiKey 5. Use the command: ``ykman piv generate-key --pin-policy always 9e -`` Changing the PUK Code ~~~~~~~~~~~~~~~~~~~~~~ The PUK can be used to reset the PIN if it is ever forgotten, lost, or becomes blocked after the maximum number of incorrect PIN entry attempts. By default the PUK is set to ``12345678``. To change the PUK, select the **Change PUK** button in the Configure PINs dialog box. The popup that appears in the `YubiKey Manager `_, is shown in the following figure. .. figure:: graphics/17.png **Figure 17** - Changing the PUK code for PIV Change the default or current PUK to a new PUK with a length of 6-8 digits. To do this, enter the current PUK, the new PUK, confirm it, and then select the **Change PUK** button. Changing the Management Key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All PIV management operations of the YubiKey require a 24 byte 3DES or AES key, known as the management key. By default the management key is set to ``010203040506070801020304050607080102030405060708``. Explicitly set a 24 byte key or use the YubiKey PIV Manager to generate one. To change the management key press the **Change Management Key** button in the Configure PINs dialog box. The popup that appears in the `YubiKey Manager `_, is shown in the following figure. .. figure:: graphics/18.png **Figure 18** - Changing the management key for PIV Change the current or default management key to a new management key with a length of 48 hexadecimal digits. To do this, in the Change Management Key dialog, enter the current management key, the new management key, and select the **Finish** button. ---- Click for `Yubico Support `_.