The YubiKey supports the Personal Identity Verification (PIV) cardinterface specified in NIST SP 800-73 document "CryptographicAlgorithms and Key Sizes for PIV". PIV enables you to perform RSA orECC sign/decrypt operations using a private key stored on thesmartcard, through common interfaces like PKCS#11. This projectcontain the library, tools and PKCS#11 module to interact with thehardware functionality.
PIV Standards https://csrc.nist.gov/groups/SNS/piv/standards.html
General information
The default PIN code is 123456. The default PUK code is 12345678.
The default 3DES management key (9B) is010203040506070801020304050607080102030405060708.
The following key slots exists:
9A, 9C, 9D, 9E: RSA 1024, RSA 2048, ECC secp256r1 or ECC secp384r1 keys (algorithms 6, 7, 11 respectively).
9B: Triple-DES key (algorithm 3) for PIV management.
The maximum size of stored objects is 2025/3049 bytes for current versions ofYubiKey NEO and YubiKey 4, respectively.
Currently all functionality are available over both contact andcontactless interfaces (contrary to what the specifications mandate).
Preparing a YubiKey for real use
You would typically change the management key to make sure nobody butyou can modify the state of the PIV application on the YubiKey. Make sure tokeep a copy of the key around for later use.All of these invocations will leave traces of keys and pins in the command linehistory, this can be avoided by leaving the argument out all-together and thesoftware will ask for key/pin to be input. For the management key option (-k)this is achieved by leaving out the value but will specifying -k.
key=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -d '[:lower:]' | tr -cd '[:xdigit:]' | fold -w48 | head -1)echo ${key}yubico-piv-tool -aset-mgm-key -n${key}
The PIN and PUK should be changed as well.
pin=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w6 | head -1)echo ${pin}
puk=$(export LC_CTYPE=C; dd if=/dev/urandom 2>/dev/null | tr -cd '[:digit:]' | fold -w8 | head -1)echo ${puk}
yubico-piv-tool -achange-pin -P123456 -N${pin}yubico-piv-tool -achange-puk -P12345678 -N${puk}
Other useful commands
To generate a new private key:
yubico-piv-tool -k${key} -agenerate -s9c
To reset PIN/PUK retry counter AND codes (default pin 123456 puk12345678):
yubico-piv-tool -k${key} -averify -P${pin} -apin-retries --pin-retries=3 --puk-retries=3
To reset the application (PIN/PUK need to be blocked hence trying a coupleof times — you need to modify this if you have changed the defaultnumber of PIN/PUK retries).
yubico-piv-tool -averify-pin -P471112yubico-piv-tool -averify-pin -P471112yubico-piv-tool -averify-pin -P471112yubico-piv-tool -averify-pin -P471112yubico-piv-tool -achange-puk -P471112 -N6756789yubico-piv-tool -achange-puk -P471112 -N6756789yubico-piv-tool -achange-puk -P471112 -N6756789yubico-piv-tool -achange-puk -P471112 -N6756789yubico-piv-tool -areset
Software
Card management has been tested with the tools from the OpenSCproject, specifically piv-tool, and Yubico’s PIV software (seebelow). Basic features should work with any PIV compliantmiddleware.
Card Holder Unique Identifier
For the application to be usable in windows the object CHUID (Card HolderUnique Identifier) has to be set and unique. The card contents arealso aggressively cached so the CHUID has to be changed if the cardcontents change.