YubiKey¶
links: SPA TOC - YubiKey - Index
YubiKey refers to the token. Sometimes it is referred as Security Key or Authenticator. The token supports several communication protocols. E.g. you can communicate via USB from your desktop computer, or via NFC from your mobile device.
USB Interfaces¶
- USB Interface OTP: Sometimes referred to as the keyboard interface, because the YubiKey acts as a USB keyboard.
- USB Interface CCID: The Chip Card Interface Device (CCID) USB interface causes the YubiKey to act as a smart card reader. You interact directly with the apps on the token.
- USB Interface FIDO: The HID-based FIDO USB interface causes the YubiKey to act as a FIDO Authenticator, for use with FIDO protocols and WebAuthn.
Apps¶
- Management App
- YubiOTP (Proprietary one-time password system)
- OATH (TOTP (Time-based OTP) and HOTP (HMAC-based OTP))
- PIV (Smart Card)
- OpenPGP
- FIDO
Development Libraries¶
YubiKit is an Android library provided by Yubico to enable YubiKey support in Android apps. Both USB and NFC-enabled YubiKeys are supported.
For raw Application Protocol Data Unit (APDU) access include YubiKit Core Module to your Android Studio Project:
dependencies {
implementation ’com.yubico.yubikit:core:(insert␣version␣here)’
}
For higher level PIV access include the following module to your Android Studio Project:
dependencies {
implementation ’com.yubico.yubikit:android:(insert␣version␣here)’
implementation ’com.yubico.yubikit:piv:(insert␣version␣here)’
}
Key Generation Via Key Handles¶
If you are not using Passkey (required storage) a YubiKey can use an unlimited amount of unique FIDO credentials.
In detail:
During credential registration, a new key pair is randomly generated by the YubiKey, unique to the new credential. The private key , along with some metadata about the credential, is encrypted using authenticated encryption with a master key. This master key is unique per YubiKey, generated by the device itself upon first startup, and never leaves the YubiKey in any form. For FIDO2 capable YubiKeys, this master key is re-generated if FIDO2 RESET is invoked, thereby invalidating any previously created credentials.
The encryption used for each credential is AES-256 in CCM mode, which allows us to cryptographically tie things like the AppID to the private key , ensuring that the credential can only ever be used with the correct RP. The encrypted (and authenticated) data then forms the 64-byte key handle, which is sent to the server as part of the registration flow, to be stored by the RP for later.
For authentication, the RP returns the key handle to the YubiKey. Here it is decrypted to re-form the private key which is needed to sign the challenge to complete the authentication. Due to the authenticated encryption used, we know that the private data has not been altered in any way, and can verify that the credential is being used with the correct AppID.
By using this approach, the YubiKey does not need to store any per- credential data, and can thus register and use any number of credentials. This is true for both U2F and for WebAuthn ”non-resident keys”. For WebAuthn resident keys, internal storage must still be used. 1
links: SPA TOC - YubiKey - Index
-
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html ↩