.. yk5-fips-140-2-2.rst

.. _yk5-fips-140-2-2-label:

=============================================
FIPS 140-2 Level 2 Changes and Configuration
=============================================

The YubiKey 5 FIPS Series is certified in two modes of operations:

 * Configuration which meets the requirements for FIPS Level 1
 * More restricted configuration that meets the requirements for FIPS Level 2.

The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.


FIPS 140-2 Initialization Comparison: Level 1 vs Level 2
===========================================================

The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.

.. table:: **YubiKey Functions in FIPS 1 and FIPS 2**
   :class: longtable

   +------------+------------------------------+-------------------------------------+
   || YubiKey   |                              |                                     |
   || Function  |FIPS Level 1                  |FIPS Level 2                         |
   +============+==============================+=====================================+
   | FIDO2      | No additional requirements   || Set a PIN.                         |
   |            |                              || Set Credential Protection to       |
   |            |                              || level 2 for all discoverable       |
   |            |                              || credentials.                       |
   |            |                              || Credential Registration is not     |
   |            |                              || allowed over NFC.                  |
   +------------+------------------------------+-------------------------------------+
   | OATH       || If writing a credential     || Set the Management key.            |
   |            || over NFC, use a secure      || When setting the Management key    |
   |            || channel.                    || over USB or NFC, use a secure      |
   |            ||                             || channel.                           |
   |            ||                             || When writing a credential over USB |
   |            ||                             || or NFC, use a secure channel.      |
   +------------+------------------------------+-------------------------------------+
   || OTP       || If writing a configuration  || Set Access code for both OTP slots.|
   || Touch-    || to a slot over NFC, use a   || If updating a configuration of     |
   || Triggered || secure channel.             || either OTP slot or the NDEF        |
   ||           ||                             || behavior, use a secure channel.    |
   +------------+------------------------------+-------------------------------------+
   | PIV        || If importing a key or       || Change Management key, PIN and PUK |
   |            || setting the management key, || from default values.               |
   |            || use a secure channel.       || For any operation with the PIV     |
   |            ||                             || function over NFC, use a secure    |
   |            ||                             || channel.                           |
   +------------+------------------------------+-------------------------------------+
   || Secure    || Change the default          | No additional requirements          |
   || Channel   || transport keys from default |                                     |
   +------------+------------------------------+-------------------------------------+
   | U2F        | No additional requirements   || Must be not be used.               |
   |            |                              || Recommendation: Disable and use    |
   |            |                              || the FIDO2 function instead.        |
   +------------+------------------------------+-------------------------------------+



FIPS 140-2 Level 2 Configuration
====================================

Security Level 2 includes all of the requirements for FIPS Level 1, but further enforces enhanced physical security mechanisms and a separation of functions with regard to role-based authentication. Security Level 2 allows an authenticator to be used on a general purpose computing system with an operating system that has been evaluated at `EAL2 <https://en.wikipedia.org/wiki/Evaluation_Assurance_Level>`_ with role-based access control mechanisms and comprehensive auditing.

The role-based authentication minimum requirement is that a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services. A Security Officer role is required for services such as importing or generating new credentials or programming new OTP secrets on a YubiKey. The User role covers the actual usage of programmed credentials for authentication. The Crypto Officer role is that of "a cryptographic officer [who] is authorized to perform cryptographic initialization and management functions on a CKMS [Cryptographic Key Management System] and its cryptographic modules." (Quote taken from `SP 800-130 (DOI) <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-130.pdf>`_.)

To act in an Overall Security Level 2 environment, a YubiKey must be configured in a FIPS-approved mode of operation or receive an exemption from the security auditor.

.. Note:: To load key data over NFC requires a secure channel. For more information on Secure Channel (SCP03) in connection with YubiKeys, see :ref:`yk5-secure-channel-tech-desc-label`. For more information on SCP03 requirements from NIST, see `NIST Special Publication 800-63C <https://pages.nist.gov/800-63-3/sp800-63c.html>`_ and `NIST Special Publication 800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html>`_.

For a YubiKey 5 FIPS Series to be operating as a security key in FIPS-approved mode, in a FIPS 140-2 Level 2 authenticator in a FIPS environment, all of the applications must be in a FIPS-approved operation mode.

By default, not all of the applications on the YubiKey 5 FIPS Series are in FIPS operation mode. Before deploying the YubiKey 5 FIPS Series in a secured environment to end-users, the person with the crypto officer role must define and supervise an initialization and delivery process that ensures that each application on the YubiKey 5 FIPS Series is in a FIPS-approved operation mode.

Every function of the YubiKey must require permissions defined by a role. In practice, this is accomplished by setting the access codes, management keys, passwords, PINs, etc. for every function on the YubiKey.

To ensure that each application is in a FIPS-approved mode of operation, use the **ykman** CLI.  Install the most recent version of the ``ykman``, see `ykman releases <https://developers.yubico.com/yubikey-manager/Releases/>`_, because the YubiKey Manager GUI includes an older version of the ykman CLI.


.. include:: includes/ykman.rst


:OTP: OATH and WebAuthn: To be in a FIPS-approved mode, the OTP, OATH and FIDO2 (WebAuthn) applications must have their respective credentials set.

:PIV: The PIV application has its credentials set to default values, and is therefore already in a FIPS-approved mode.

:U2F: Using U2F is not allowed when the YubiKey 5 FIPS Series is deployed as a 140-2 Level 2 authenticator.

.. Note:: It is highly recommended that all the credentials across all the applications be changed from the default values before the YubiKey 5 FIPS Series device is deployed to the end user, even if FIPS 140-2 Level 2 does not explicitly require it.