YubiKey 5 FIPS Series Specifics

YubiKey 5 FIPS Series under FIPS 140-3

The YubiKey 5 FIPS Series based on the 5.7.x firmware is undergoing a number of changes for FIPS 140-3 submission. The most notable of these changes is that the FIPS-specific requirements are now enforced by the YubiKey.

PIV Changes for FIPS 140-3

In order for the PIV application to be in FIPS Approved Mode the following requirements must be met:

  • The default PIN needs to be changed to an 8 character value
  • The default PUK needs to be changed and remain an 8 character value
  • The default Management Key needs to be changed and be set to an AES key.

Additionally,

  • Creating credentials prior to the application being in FIPS Approved Mode is not acceptable and the device will refuse to create credentials until the device is in FIPS Approved Mode
  • The use of RSA1024, TDEA and X25519 is not allowed
  • Operations over NFC must go through a secure channel (SCP03 or SCP11).

FIDO2 Changes for FIPS 140-3

In order for the FIDO2 application to be in FIPS Approved Mode

  • The FIDO2 PIN must be set and must be at least 8 characters.

Additionally,

  • Creating credentials prior to the application being in FIPS Approved Mode is not acceptable and the device will refuse to create credentials until it is in FIPS Approved Mode
  • PIN Protocol v2 must be used over NFC unless a secure channel is set up (SCP03 or SCP11)
  • alwaysUV is permanently enabled
  • U2F is disabled on FIPS-capable devices.

OpenPGP Changes for FIPS 140-3

In order for the OpenPGP application to be in FIPS Approved Mode the following requirements must be met:

  • The default user PIN must be changed and it must be at least 8 characters
  • The default admin PIN must be changed and it must be at least 8 characters
  • If the Reset Code is set, it must be at least 8 characters.

Additionally,

  • The use of RSA decryption, X25519 and SECP256k1 is blocked
  • Changing the user PIN, admin PIN or Reset Code to a value shorter than 8 characters is blocked
  • Operations over NFC must go through a secure channel (SCP03 or SCP11)
  • Creating credentials prior to the application being in FIPS Approved Mode is not acceptable and the device will refuse to create credentials until it is in FIPS Approved Mode.

OATH Changes for FIPS 140-3

In order for the OATH application to be in FIPS Approved Mode the following requirements must be met:

  • The access code must be set (minimum length of 14 bytes).

Additionally,

  • Creating credentials prior to the application being in FIPS Approved Mode is not acceptable and the device will refuse to create credentials until it is in FIPS Approved Mode
  • When performed over NFC, SET CODE and PUT must go through a secure channel (SCP03 or SCP11).

YubiHSM Auth Changes for FIPS 140-3

In order for the YubiHSM Auth application to be in FIPS Approved Mode the following requirements must be met:

  • The default admin code must be changed.

Additionally,

  • Creating credentials prior to the application being in FIPS Approved Mode is not acceptable and the device will refuse to create credentials until the device is in FIPS Approved Mode
  • Operations performed over NFC must go through a secure channel (SCP03 or SCP11).

Security Domain (SCP03 and SCP11) Changes for FIPS 140-3

In order for the Security Domain application to be in FIPS Approved Mode the following requirements must be met:

  • The default key set must be changed.

Additionally,

  • Until the application is in Approved mode, the default key set can only be used to establish a secure channel with the Security Domain itself and only for the purpose of loading a new key set. This operation must be performed over USB.

Deploying the YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series keys are certified under FIPS 140-2 Level 1 and FIPS 140-2 Level 2. Keys in this series have two certificates, each corresponding to a different level of certification, but both certificates apply to the same keys. The YubiKey chipset is certified at FIPS 140-2 Physical Security Level 3. This provides both tamper-evidence and tamper-resistance. In turn, this means the YubiKey 5 FIPS Series keys can be used in an Overall Security Level 1 or 2 environment without issue. Depending on which certification the YubiKey 5 FIPS Series is being deployed under, there are different requirements for securing the various functions. To review the differences between the considerations and requirements for a FIPS 140-2 Level 1 authenticator and those for a FIPS 104-2 Level 2 authenticator, see FIPS Level 1 vs FIPS Level 2.

NIST SP 800-63-B provides guidance on the level required for your deployment.

In cases where only Level 1 is required, the end-user experience with a YubiKey 5 FIPS Series is similar to that of a user with a key from the YubiKey 5 Series. The user experience with YubiKey 5 FIPS Series deployed under FIPS 140-2 Level 2 is more complicated.

NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in this series can be taken out of the FIPS-approved mode after initialization without zeroing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. This renders the --check-fips command unnecessary. If the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode.

Configuring the YubiKey 5 FIPS Series under FIPS 140-2 Level 1

Without any configuration, the YubiKey 5 FIPS Series meets the requirements for the FIPS 140-2 Level 1 certification as an authenticator with FIPS-approved algorithms. Security Level 1 allows an authenticator to be used on a general purpose computing system using an unevaluated operating system. This can include computers or OSs that are configured in a FIPS-certified mode of operation, but which might not have extensive access controls or auditing features. Any function on the YubiKey may be used. The only non-approved algorithms are:

  • RSA 1024-bit keys
  • EdDSA keys
  • X25519 keys

Configuring the YubiKey 5 FIPS Series under FIPS 140-2 Level 2

Security Level 2 includes all of the requirements for FIPS Level 1, but further enforces enhanced physical security mechanisms and a separation of functions with regard to role-based authentication. Security Level 2 allows an authenticator to be used on a general purpose computing system with an operating system that has been evaluated at EAL2 with role-based access control mechanisms and comprehensive auditing.

The role-based authentication minimum requirement is that a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services. A Security Officer role is required for services such as importing or generating new credentials or programming new OTP secrets on a YubiKey. The User role covers the actual usage of programmed credentials for authentication. The Crypto Officer role is that of “a cryptographic officer [who] is authorized to perform cryptographic initialization and management functions on a CKMS [Cryptographic Key Management System] and its cryptographic modules.” (Quote taken from SP 800-130 (DOI).)

To act in an Overall Security Level 2 environment, a YubiKey must be configured in a FIPS-approved mode of operation or receive an exemption from the security auditor.

Note

To load key data over NFC requires a secure channel. For more information on Secure Channel (SCP03) in connection with YubiKeys, see the YubiKey 5 Series Technical Manual, Secure Channel Technical Description. For more information on SCP03 requirements from NIST, see NIST Special Publication 800-63C and NIST Special Publication 800-63B.

For a YubiKey 5 FIPS Series to be operating as a security key in FIPS-approved mode, in a FIPS 140-2 Level 2 authenticator in a FIPS environment, all of the applications must be in a FIPS-approved operation mode.

By default, not all of the applications on the YubiKey 5 FIPS Series are in FIPS operation mode. Before deploying the YubiKey 5 FIPS Series in a secured environment to end-users, the person with the crypto officer role must define and supervise an initialization and delivery process that ensures that each application on the YubiKey 5 FIPS Series is in a FIPS-approved operation mode.

Every function of the YubiKey must require permissions defined by a role. In practice, this is accomplished by setting the access codes, management keys, passwords, PINs, etc. for every function on the YubiKey.

To ensure that each application is in a FIPS-approved mode of operation, use the YubiKey Manager (ykman) Command Line Interface (CLI).

PIV:The PIV application has its credentials set to default values, and is therefore already in a FIPS-approved mode.
OTP:OATH and WebAuthn: To be in a FIPS-approved mode, the OTP, OATH and WebAuthn applications must have their respective credentials set.

Note

Using U2F is not allowed when the YubiKey 5 FIPS Series is deployed as a 140-2 Level 2 authenticator.

Note

It is highly recommended that all the credentials across all the applications be changed from the default values before the YubiKey 5 FIPS Series device is deployed to the end user, even if FIPS 140-2 Level 2 does not explicitly require it.

Credentials and Permitted Values

The table below lists the credentials required, allowed values, and credential owner for the supported applications.

Application Credential Permitted Values
Credential
Owner
One Time Password
(OTP)
Access Code:
OTP Slot 1
OTP Slot 2
6 byte access codes
6 byte access codes
 Crypto Officer
OATH
Authentication
Key
14-64 byte HMAC
SHA1/SHA256 key
 Crypto Officer
PIV Smart Card Management Key 3-key TDES key Crypto Officer
PUK 6-8 byte PIN Crypto Officer
PIN 6-8 byte PIN
Authenticated
User
OpenPGP
User Password
(PW1)
 6‐127 byte PIN
Authenticated
User
Admin Password
(PW3)
 8‐127 byte PIN Crypto Officer
WebAuthn PIN 6 to 32 byte PIN
Authenticated
User

The instructions for the individual applications are provided in the following topics:

OTP: FIPS 140-2 with YubiKey 5 FIPS Series

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot 1 during manufacturing.

  1. Trigger the YubiKey to produce the credential in the first slot by briefly touching the metal contact of the YubiKey.
  2. If a credential has been programmed to the second slot, trigger the YubiKey to produce it by touching the contact for 3 seconds.

Output is sent as a series of keystrokes from a virtual keyboard.

Yubico OTP

Yubico OTP is a strong authentication mechanism that is supported by all YubiKey 5 FIPS Series. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey has two parts: the first 12 characters are the public identity that a validation server uses to link to a user, the remaining 32 characters are the unique passcode that is changed every time an OTP is generated.

The character representation of the Yubico OTP is designed to handle a variety of keyboard layouts. It is crucial that the same code is generated if a YubiKey is inserted into a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The Modified Hexadecimal (Modhex) coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works with the maximum number of keyboard layouts. USB keyboards send their keystrokes through “scan codes” rather than actual characters. The device, where the YubiKey is connected, translates the scan codes into keystrokes.

OTP Deployment

The YubiKey 5 FIPS Series OTP application supports two independent OTP configurations, known as OTP slots. The OTP slots can be configured to output an OTP created with the Yubico OTP or OATH-HOTP algorithm, a HMAC-SHA1 hashed response to a provided challenge, or a static password. A short touch (1~3 seconds) on the gold contact triggers the output of OTP slot 1. A long touch (+3 seconds) triggers the output of OTP slot 2.

A 6-byte access code can be set on slot 1 and slot 2 independently. Once set, the OTP slot’s access code is required when modifying, overwriting, or deleting the configuration on the respective OTP slot. By default, the YubiKey is shipped without any access code.

FIPS 140-2 Level 2: Placing the OTP Application in FIPS-approved Mode

Each OTP slot must be locked down with an access code for the YubiKey 5 FIPS Series OTP application to be in a FIPS-approved mode of operation. By default, no access codes is set for either slot.

  • An access code must be applied to each OTP slot, either:
    • When writing a new configuration or
    • By updating an existing configuration in an OTP slot.
  • An access code cannot be applied to an empty OTP slot.
  • To secure an unused OTP slot, use a blank OTP configuration with an access code.
  • YubiKey 5 FIPS Series devices must either be deployed with
    • The OTP slots already set with an access code, or
    • An OTP application or service that configures the access code on both slots on enrollment.
  • The OTP slot access codes must be archived so that only the crypto officer alone can access them. Access codes are required when resetting the OTP application.
Using the YubiKey Manager to Set Access Codes

The crypto officer can set an access code to the OTP slots using the YubiKey Manager Command Line Interface (CLI).

To apply an access code to a configuration using the YubiKey Manager CLI, include the flag --new-access-code=<access code> in the OTP configuration string. Use the command:

ykman otp settings --new-access-code=<access code> [OTP Slot]

where -

<access code> is the access code to be set.

For the characteristics of the access code, see Credentials and Permitted Values.

[OTP Slot] is either 1 or 2 corresponding to the OTP configuration being applied to OTP slot 1 or OTP slot 2.

For full details on setting an OTP configuration using the YubiKey Manager CLI, see the section of that name in the YubiKey Manager CLI & GUI Guide.

To fill a blank OTP slot with a default configuration, use the command:

ykman otp chalresp --generate [OTP Slot]

where [OTP Slot] is either 1 or 2 corresponding to the OTP configuration being applied to OTP slot 1 or OTP slot 2.

OATH: FIPS 140-2 with YubiKey 5 FIPS Series

The YubiKey 5 FIPS OATH application can store up to 32 OATH credentials, either OATH-TOTP (time-based) or OATH-HOTP (counter-based), as defined in the OATH specification. These credentials are separate from those stored in the OTP application. They can only be accessed through the CCID channel.

When an OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey automatically types the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

To manage the OATH credentials and read the OTPs generated by the YubiKey, requires the Yubico Authenticator. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.

FIPS 140-2 Level 2: Placing the OATH Application in FIPS-approved Mode

For an application to be in a FIPS-approved mode requires an Authentication Key that protects access to the YubiKey 5 FIPS Series OATH application. To get the permitted values for the following operation, see Credentials and Permitted Values.

The crypto officer can set the Authentication Key using the YubiKey Manager Command Line Interface (CLI).

To set an Authentication Key using the YubiKey Manager CLI, use the command:

ykman oath access change -n <Authentication Key>

where <Authentication Key> is the Authentication Key to be set.

FIDO: FIPS 140-2 with YubiKey 5 FIPS Series

FIDO U2F

FIDO U2F is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.

FIDO2

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey enables storing resident credentials. Resident credentials can accommodate the username and other data, this enables truly passwordless authentication. Keys in the YubiKey 5 FIPS Series can hold up to 25 resident keys.

See Locking FIDO2 Credentials.

Placing the WebAuthn Application in FIPS-approved Mode

For the YubiKey WebAuthn application to be in a FIPS approved mode of operation, set a WebAuthn PIN. By default, no WebAuthn PIN is set.

To set or change the WebAuthn PIN, use the YubiKey Manager Command Line Interface (CLI). To set an WebAuthn PIN, on the YubiKey Manager CLI, use the command:

ykman fido access change-pin -n<PIN>

where <PIN> is the WebAuthn PIN to be set. See Credentials and Permitted Values for PIN requirements.

U2F

The YubiKey 5 U2F FIPS application cannot be used in FIPS 140-2 Level 2 mode. Instead of the U2F functionality, use the FIDO WebAuthn application. FIPS-certified services should not call the U2F functionality; nonetheless, disable the U2F function on the YubiKey to ensure it is not used.

To disable U2F over USB and NFC, use the commands:

ykman config usb -dU2F
ykman config nfc -dU2F

To ensure users cannot enable U2F, secure access to it with a management lock code. To set this code, use the command:

ykman config set-lock-code -n<lock code>

where <lock code> is a 16 byte (32 character) hex value.

Note

The lock code prevents anyone without it from changing the functions that are accessible over NFC or USB. The lock code cannot be recovered if lost. Losing the lock code makes the YubiKey permanently inaccessible.

PIV: FIPS 140-2 with YubiKey 5 FIPS Series

The YubiKey 5 FIPS Series provides a PIV-compatible smart card application. PIV or FIPS 201, is a US government standard that enables RSA or ECC sign and encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver. The YubiKey Smart Card Minidriver is not available for Android, Linux, macOS or iOS.

Keys in the YubiKey 5 FIPS Series support extended APDUs, extended Answer To Reset (ATR), and Answer To Select (ATS). Using the PIV APDUs on iOS requires the Yubico iOS SDK.

For YubiKey 5 FIPS Series, some exceptions apply:

  • Do not use non-NIST-approved curves
  • Do not use the following keys:
  • RSA 1,024-bit
  • 3,072-bit keys.

This applies to Attestation as well.

  • PIN policy = none cannot be used. Select either once or always.

Default Values

  • PIN: 123456
  • PUK: 12345678
  • Management Key (3DES): 010203040506070801020304050607080102030405060708

Supported Algorithms

The YubiKey 5 FIPS Series supports the following algorithms on the PIV smart card application.

  • RSA 1024
  • RSA 2048
  • ECC P-256
  • ECC P-384

Policies

PIN Policy

To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or import; it cannot be changed later.

Touch Policy

In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or import.

Slot Information

The keys and certificates for the smart card application are stored in slots. The PIN policies are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.

Slot 9a: PIV Authentication

This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for system login, etc.. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9c: Digital Signature

This certificate and its associated private key is used for digital signatures on documents, email, files, and executable signings. The end user PIN is required perform any private key operations. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.

Slot 9d: Key Management

This certificate and its associated private key is used for encryption to assure confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9e: Card Authentication

This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings through PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.

Slots 82-95: Retired Key Management

These slots are meant for previously used key management keys for decrypting earlier encrypted documents or emails.

Slot f9: Attestation

This slot is used only for attestation of other keys generated on device with instruction F9. This slot is not cleared on reset, but can be overwritten.

Attestation

Attestation enables you to verify that a key on the smart card application was generated on the YubiKey rather than being imported. If the key was generated on the YubiKey, an X.509 certificate was created for the key. Included in the certificate are the following extensions that provide information about the YubiKey.

Firmware

1.3.6.1.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.

Serial Number

  • 1.3.6.1.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
  • 1.3.6.1.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.
PIN Policy
  • 01 - never require PIN
  • 02 - require PIN once per session
  • 03 - always require PIN.
Touch Policy
  • 01 - never require touch
  • 02 - always require touch
  • 03 - cache touch for 15 seconds.
Form Factor

1.3.6.1.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.

  • USB-A Keychain: 0x01
  • USB-A Nano: 0x02
  • USB-C Keychain: 0x03
  • USB-C Nano: 0x04
  • USB-C and Lightning®: 0x05
  • Undefined: 0x00

New in YubiKey 5 FIPS Series

ATR and ATS

The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.

PIV Attestation Root CA

There are no changes in PIV attestation between the YubiKey 5 Series and the YubiKey 5 FIPS Series. You can find the root certification authority on the PIV attestation page.

PIV/Smart Card Deployment

The YubiKey 5 FIPS Series PIV application implements a PIV-compatible standard as defined in the NIST SP 800-73-4 publication. Access to functions on the YubiKey 5 FIPS Series PIV application is restricted by the management key, the PIN, and the PUK.

The management key is used for:

  • Importing or generating asymmetric key pairs
  • Importing x.509 certificates and associated information
  • Setting the retry counters for PIN (also requires PIN) and PUK

The PIN is used to:

  • Perform cryptographic operations using private keys
  • Change the PIN

The PUK is used to:

  • Unblock and set a new PIN for a blocked PIN
  • Change the PUK

The YubiKey 5 FIPS Series PIV application has the default values:

  • Management Key (010203040506070801020304050607080102030405060708)
  • PIN (123456)
  • PUK (12345678)

FIPS 140-2 Level 2: Placing the PIV Application in FIPS-approved Mode

To place the YubiKey 5 FIPS Series PIV application in the FIPS-approved mode of operation, change the default management key, PIN, and PUK.

YubiKey 5 FIPS Series devices should be deployed using a credential management tool like Microsoft ADCS with YubiKey minidriver or a third party tool. The credential management tool replaces the default values by automatically setting a random value for the management key and PUK and allows the end user to define the PIN.

If the YubiKey 5 FIPS Series PIV application is not being managed with a credential management tool, the management key, PIN, and PUK must be changed by the crypto officer. To do so, use the YubiKey Manager (ykman).

To change the management key, use the command:

ykman piv access change-management-key
   -m010203040506070801020304050607080102030405060708 /
   -a<algorithm> -n<management key>

where -

<management key> is the new management key

<algorithm> is the key type [Triple-DES, AES-128, AES-192 or AES-256].

To change the PIN, use the command:

ykman piv access change-pin -P123456 -n<PIN>

where <PIN> is the new PIN.

To change the PUK, use the command:

ykman piv access change-puk -p12345678 -n<PUK>

where <PUK> is the new PUK.

FIPS Level 1 vs FIPS Level 2

The YubiKey 5 FIPS Series is certified in two modes of operations:

  • Configuration which meets the requirements for FIPS Level 1
  • More restricted configuration that meets the requirements for FIPS Level 2.

The FIPS Level 2 configuration renders keys in the YubiKey 5 FIPS Series capable of being a component in a framework meeting the highest levels of authentication assurance. However, not every deployment requires this level of security. In cases where a FIPS-certified device is required, but a lower level of assurance is acceptable, the FIPS Level 1 configuration can be used. This provides a user experience like the standard YubiKey 5 Series user experience.

FIPS Initialization Comparison: Level 1 vs Level 2

The FIPS Level 2 requirements include all the those for Level 1. Therefore the FIPS Level 2 column in the table below lists only the differences.

YubiKey
Function
 FIPS Level 1 FIPS Level 2
Touch-
Triggered
OTP
If writing a configuration
to a slot over NFC, use a
secure channel.
Set Access code for both OTP slots.
If updating a configuration of
either OTP slot or the NDEF
behavior, use a secure channel.
OATH
If writing a credential
over NFC, use a secure
channel.
Set the Management key.
When setting the Management key
over USB or NFC, use a secure
channel.
When writing a credential over USB
or NFC, use a secure channel.
PIV
If importing a key or
setting the management key,
use a secure channel.
Change Management key, PIN and PUK
from default values.
For any operation with the PIV
function over NFC, use a secure
channel.
U2F No additional requirements
Must be not be used.
Recommendation: Disable and use
the FIDO2 function instead.
FIDO2 No additional requirements
Set a PIN.
Set Credential Protection to
level 2 for all discoverable
credentials.
Credential Registration is not
allowed over NFC.
Secure
Channel
Change the default
transport keys from default
 No additional requirements

For more information on secure channel requirements from NIST, see NIST SP 800-63-C and NIST SP 800-63B.

Click for Yubico Support.