.. yk5-fips-140-compare.rst .. _yk5-fips-140-compare-label: ================================================= FIPS Version Changes and Requirements Comparison ================================================= The table highlights changes between FIPS 140-3 Level 3, 140-2 Level 2, and 140-2 Level 1. Each newer version and level of the FIPS 140 includes the requirements of the previous version and level. Therefore each left most column lists only the differences between the next column. For example, FIPS 140-3 Level 2 includes requirements of FIPS 140-2 Level 2 and FIPS 140-2 Level 1. FIPS 140-2 Level 2 includes requirements of FIPS 140-2 Level 1. .. table:: **YubiKey Functions in FIPS** :class: longtable +------------+----------------------------------+-------------------------------------+-----------------------------+ || YubiKey || || || | || Function || FIPS 140-3 Level 2 || FIPS 140-2 Level 2 || FIPS 140-2 Level 1 | +============+==================================+=====================================+=============================+ | FIDO2 || - FIDO2 PIN required with || - Set a PIN. | No additional requirements | | || minimum 8 characters || - Set Credential Protection to | | | || - alwaysUV permanently enabled || level 2 for all discoverable | | | || - U2F disabled on FIPS-capable || credentials. | | | || devices. Use FIDO2 functions || - Credential Registration is not | | | || instead. || allowed over NFC. | | | || - PIN Protocol v2 required over || | | | || NFC. || | | | || - Requires application be in || | | | || FIPS Approved Mode to create || | | | || credentials || | | +------------+----------------------------------+-------------------------------------+-----------------------------+ | OATH || - Access code required with || - Set the Management key. || If writing a credential | | || minimum 14 bytes. || - When setting the Management key || over NFC, use a secure | | || - Configuration over NFC || over USB or NFC, use a secure || channel. | | || requires ``SET CODE``, ``PUT`` || channel. || | | || commands go through a secure || - When writing a credential over || | | || channel (SCP03 or SCP11) || USB or NFC, use a secure channel. || | | || - Requires application be in || || | | || FIPS Approved Mode to create || || | | || credentials || || | +------------+----------------------------------+-------------------------------------+-----------------------------+ | OpenPGP || - User PIN, Admin PIN, and | No additional requirements | No additional requirements | | || Reset Code (if set) must be | | | | || minimum of 8 characters | | | | || - RSA decryption, X25519 and | | | | || SECP256k1 are blocked. | | | | || - All operations over NFC | | | | || must go through a secure | | | | || channel (SCP03 or SCP11) | | | | || - Requires application be in | | | | || FIPS Approved Mode to create | | | | || credentials | | | +------------+----------------------------------+-------------------------------------+-----------------------------+ || OTP | Not validated for FIPS 140-3 || - Set Access code for both OTP || If writing a configuration | || Touch- | || slots. || to a slot over NFC, use a | || Triggered | || - If updating a configuration of || secure channel. | || | || either OTP slot or the NDEF || | || | || behavior, use a secure channel. || | +------------+----------------------------------+-------------------------------------+-----------------------------+ | PIV || - Requires changing default || - Change Management key, PIN, PUK || If importing a key or | | || PIN and PUK to 8 character || from default values. || setting the management key,| | || minimum. || - For any operation with the PIV || use a secure channel. | | || - Requires changing Management || function over NFC, use a secure || | | || Key to AES key. || channel. || | | || - RSA1024, TDES (3DES), and || || | | || X25519 are blocked. || || | | || - Cannot set the Management || || | | || Key to TDES. || || | | || - All operations over NFC || || | | || must go through a secure || || | | || channel (SCP03 or SCP11) || || | | || - Requires application be in | | | | || FIPS Approved Mode to create | | | | || credentials | | | +------------+----------------------------------+-------------------------------------+-----------------------------+ || Secure || - SCP03 and SCP11 || - SCP03 only || - SCP03 only | || Domain || - Requires changing default || - Requires changing default || - Requires changing default| || Channel || key set || key set || key set | || || - USB restriction: Until the || || | || || application is in FIPS Approved || || | || || Mode, the default key set can || || | || || only be used to establish a || || | || || secure channel with the Security|| || | || || Domain itself, only for the || || | || || purpose of loading a new key || || | || || set, and this operation must be || || | || || performed exclusively over USB. || || | +------------+----------------------------------+-------------------------------------+-----------------------------+ | U2F || U2F disabled on FIPS-capable || - Must be not be used. | No additional requirements | | || devices || - Recommendation: Disable and use | | | || || the FIDO2 function instead. | | +------------+----------------------------------+-------------------------------------+-----------------------------+ | YubiHSM || - Requires changing default | No additional requirements | No additional requirements | | Auth || admin code | | | | || - All operations over NFC | | | | || must go through a secure | | | | || channel (SCP03 or SCP11) | | | | || - Requires application be in | | | | || FIPS Approved Mode to create | | | | || credentials | | | +------------+----------------------------------+-------------------------------------+-----------------------------+