The YubiKey 4 and 5 series along with the YubiKey NEO support the PersonalIdentity Verification (PIV) interface specified in NIST SP 800-73 document"Cryptographic Algorithms and Key Sizes for PIV". This enables you to performRSA or ECC sign/decrypt operations using a private key stored on the smartcard,through common interfaces like PKCS#11.
For information about what you can do with a PIV-enabled YubiKey, please seethe various sections in the menu on the left.
Technical details about the YubiKey PIV implementation
The default PIN code is 123456. The default PUK code is 12345678.
The default management key (9B) on YubiKeys with firmware up to version 5.7 is a 3DES key with value010203040506070801020304050607080102030405060708.
For YubiKeys with firmware version 5.7 and later, the default management key uses AES-192 instead of 3DES,The management key uses the same default value (3DES and AES-192 keys are the same length).
Note | We urge you to change these values before using the PIV functionality forany non-testing purpose. For details on what these keys do, seeAdmin access. |
The following key slots exist:
9A, 9C, 9D, 9E: RSA 1024, RSA 2048, ECC secp256r1, or secp384r1 keys (algorithms 06, 07, 11, 14 respectively). YubiKeys with firmware 5.7 and up also support RSA 3072, RSA 4096, Ed25519, and X25519 keys (algorithms 05, 16, E0, E1, respectively).
9B: Triple-DES key (algorithm 03) for PIV management. YubiKeys with firmware 5.4 and up also support AES-128 (algorithm 08), AES-192 (algorithm 0A) and AES-256 (algorithm 0C) keys for PIV management.
The maximum size of stored objects is 2025/3052 bytes for current versions ofYubiKey NEO and YubiKey 4 & 5, respectively.
Currently all functionality are available over both contact and contactlessinterfaces (contrary to what the specifications mandate).