YubiKey Smart Card Minidriver release notes


This article contains release notes for all historical versions of the YubiKey Smart Card Minidriver (current version available for download here), as well as information regarding configuration and known issues. These release notes are also available compiled with the newest CAB download of the YubiKey Smart Card Minidriver (README.txt).

Note: Microsoft's driver certification process includes tests for compatibility with OSes no longer supported. However, Yubico Support does not extend beyond assuring compatibility.

Current release

Version 4.6.3.252

  • Support YubiKey 5.7+
  • Update PIV library to v2.5.2
  • Support RSA3072 and RSA4096 slots
  • Support Ed25519 containers for visibility
  • Refactor pin verification
  • Implement auth dialog with display scaling for modern Windows versions
  • Isolation aware dialog controls and visual styles for previous Windows versions
  • Add ARM64 target
  • Fix SP80056A Concat KDF
  • Clear reallocated memory in libykpiv
  • Improve buffer length checks in libykpiv and smart card file system
  • Incorporate libykpiv logs in ykmd logs
  • Configurable pin cache policy settings for BaseCSP
  • Configurable map synchronization settings

Configuration

The YubiKey Smart Card Minidriver can be configured for alternate behavior via registry keys. These settings are read from HLKM\Software\Yubico\ykmd:

  • DebugOn (DWORD, default 0): Enables/disables debug logging per process. Log files are written to %SystemDrive%\Logs. To enable debug logging, set this value to non-zero.
  • DebugVerbosity (DWORD, default 0): Sets the verbosity of the logs written when DebugOn is non-zero. Valid values are 0 (card mod only) to 3 (very verbose, with low-level logging enabled).
  • ManageCSPCache (DWORD, default 1): Controls if the minidriver will trim the BaseCSP cached values (container map, certificates) if the minidriver detects changes in the certificates and keys stored on the YubiKey. To disable this functionality, set this value to 0.
  • NewKeyTouchPolicy (DWORD, default 1): This setting enables the (optional) touch policy for PIV. By default (1), touch input is not mandatory for PIV operations. Adjusting the data value to 2 enforces touch input at all times (similar to FIDO2), while setting it to 3 activates the feature but may cache touch input for a limited duration with less frequent requirements.
    Note: While improving security, configuring touch for PIV may have an adverse effect on usability. Note also that this configuration does not impact already configured YubiKeys (the setting must be present at the time of enrollment).
  • ProtectManagement (DWORD, default 1): This setting governs the creation and storage of the PIV card management key within a secure object to enable write access for PIV functionality.
    By default (1), the YubiKey Minidriver will generate a new card management key and store it in a PIN read-protected object (in the YubiKey PIV application) when the factory default value is present during PIN entry (e.g. during enrollment).
    Note: Third party solutions (e.g. CMS products) managing YubiKeys may optionally disable this setting (0) and assume ownership of this feature and dependant processes (e.g. enrollment).
  • RefreshDeviceKeys (DWORD, default 1): This setting controls the behavior of container map synchronization that happens based on the timeout defined by RefreshWindow.
    By default (1), the YubiKey Minidriver will check that the container map stored in the mscmap PIV object matches the container map in the SCardCache. Additionally, the minidriver will enumerate all keys and certificates in the PIV application and then update the map accordingly.
    Note: Disabling (0) this setting can have a major positive performance impact, especially over RDP, however certificates enrolled outside of the YubiKey Minidriver may not be present in the container map as reported to the BaseCSP.
  • RefreshWindow (DWORD, default 300): This setting sets the time interval (in seconds) for how often the YubiKey Minidriver synchronizes the container map reported to the BaseCSP.
    By default the YubiKey Minidriver will perform synchronization when the time difference between the last call from the BaseCSP and current time exceeds 300 seconds.
    During synchronization the minidriver will:
    • Trim the BaseCSP cache (depending on setting of ManageCSPCache).
    • Enumerate the certificates and keys in the PIV application (depending on setting of RefreshDeviceKeys)
    • Ensure the currently cached container map contains the same information as the on-card container map and the list of newly enumerated certificates.
      Note: Setting a higher value than default may have a positive impact on performance without the heavier-handed settings of RefreshDeviceKeys and ManageCSPCache.
  • SupportAlwaysPin (DWORD, default 1): This setting enables/disables support for the 'Always Prompt' PIN_ID in the YubiKey Minidriver.
    The 'Always Prompt' PIN_ID has its PIN_CACHE_POLICY_TYPE set to 'PinCacheAlwaysPrompt' and will be assigned as the PIN for key containers that map to PIV slots that have the PIN_ALWAYS pin policy in the YubiKey PIV application (e.g., slot 9c) in devices that support slot metadata (YubiKey 5.2.7+).
  • AutoFingerprint (DWORD, default 1): For capable devices, prompts for fingerprint without confirmation on the first authentication attempt. To disable this functionality, set this value to 0.
  • UserPinCachePolicy (DWORD, default 0): This setting overrides the PIN_CACHE_POLICY_TYPE for the User PIN_ID in the YubiKey Minidriver.
    The default value is 0 (PinCacheNormal) and this setting may take any of the valid PIN_CACHE_POLICY_TYPE numeric values. See Card PIN Operations for more information.
  • ExternalPinCachePolicy (DWORD, default 2): This setting overrides the PIN_CACHE_POLICY_TYPE for the external PIN_ID in the YubiKey Minidriver. This setting takes the same values as UserPinCachePolicy.
  • PinCacheTimeout (DWORD, default 60): If either UserPinCachePolicy or ExternalPinCachePolicy is set to 'timed' (1), this setting sets the number of seconds for which the BaseCSP should cache the PIN. This is only a recommendation to the BaseCSP and is not implemented by the Minidriver.

Known issues

  • If you have a piv x25519/cv25519 key with certificate on a YK 5.7+, ykmd will expose the container, but because of lack of BaseCSP support, these Ed25519 keys will not be available for cryptographic operations
  • The YubiKey NEO may freeze unexpectedly when trying to save large certificates. The YubiKey NEO supports a max cert size of 2024 bytes.
  • With YubiKey 4 certificate import, the MS certutil program may show an inconsistent number of certificates when the card has reached its maximum storage using the following command:
    certutil -key -csp "Microsoft Base Smart Card Crypto Provider"
  • The Microsoft Base Smart Card Crypto Provider will not see any ECC certificates or keys. This is due to a limitation with the legacy CSP. To view ECC certificate and key information, you must use the Smart Card Key Storage Provider, i.e.: -csp "Microsoft Smart Card Key Storage Provider".
  • The Microsoft Smart Card Key Storage Provider does not support import of ECC keys and certificates through the certutil program. This is a limitation of the certutil program.
  • Previous Windows versions may not be able to verify code integrity of ykmd.dll due to the SHA256 signature applied by our code signing certificate. If you see a "Bad Image" warning when running certutil or see error 3002 in the Microsoft-Windows-CodeIntegrity-Operational log, apply the Microsoft security update KB3033929.
  • If YKMD 3.3.1.5 was installed before YKMD 3.7, YKMD 3.3 is still visible in the Control Panel from either "Apps & features" or "Programs and Features" after upgrading to YKMD 3.7. Using the uninstall feature will remove the application item.
  • If a root certificate update results in a mscp/msroots file > 8kb, the file will be written to the PIV application on the YubiKey correctly, however, some versions of Windows will attempt to write the file to the SCard cache, resulting in a cache item too big error.

Historical releases

Version 4.1.1.210

  • Update PIV library to v2.1.0 (includes updates for YSA-2020-03)

Version 4.1.0.172

  • Update PIV library to v1.7.2
  • Support custom CHUID parsing
  • Adds YubiKey NFC device ATRs for full enrollment support in Windows

Version 4.0.4.164

  • Update PIV library to v1.6.4
  • Support PIN_ALWAYS key usage policy via BaseCSP and Smart Card KSP
  • Rewrite container synchronization to support certificate changes via external tools
  • Smart card file system consistency fixes with changes made through other api functions
  • Implements security fixes recommended by external review

Version 4.0.0.162

  • Update PIV library to v1.6.2
  • Remove implicit transactions on all commands sent to card, defer to CSP
  • Support new YubiKey devices
  • Adds CardAttestContainer extension to Smartcard Minidriver specification
  • Resolves issues with root certificate update for large number of valid CA certs

Version 3.7.3.160

  • Update PIV library to v1.6.0
  • Update release build to use VS 2017
  • Fix certificate parse error if external tool adds blank cert objects
  • Fix RSA key type interpolation from certificate in map synchronization
  • Remove DefaultInstall logic from INF - MS has deprecated supplying both Manufacturer and DefaultInstall sections in HLK for Win10 1803. Note because of this change, right-click install will no longer work on Windows 7 -- use the Device Manager to install or Windows Update.
  • Remove MSI due to Microsoft deprecation of DiFX for Win8.1+

Version 3.7.0.152

  • Add CVE-2017-15361 (ROCA) mitigation on key generation 
  • Add FriendlyName to installer
  • Direct install of UMPass service to mitigate HCK test issues on Win8.1
  • Block PUK on MGM key upgrade if and only if it is default
  • Always call SecureZeroMemory regardless of caller supplied allocator
  • Implement PIN deauthentication without forcing a card reset
  • Fix key container synchronization when keys are added through external apps
  • Fix early transaction exit in some cases in PIV library
  • Fix PIN unblock behavior
  • Initial release for MSI

Version 3.3.1.5

  • First HDC certified release
  • Many fixes to accommodate the HCK/HLK tests

Version 3.0

  • Full implementation of Minidriver v6 and v7.07 specification
  • Full ECC support (P256/P384)
  • Block PUK if PIV MGM key is default

Version 2.0

  • Full support for Windows Smart Card Credential Provider use cases
  • Multiple PIV slot support

Version 2.0

  • Basic Minidriver Specification v7.07 implemented - BaseCSP use cases only
  • Single PIV slot support only
  • RSA (1024/2048) support only