YubiKey 5Ci


yubikey-5ci.png

Note: This article lists the technical specifications of the YubiKey 5Ci. If you're looking for setup instructions for your YubiKey 5Ci, see https://www.yubico.com/start.

 

The YubiKey 5Ci has six distinct applications, which are all independent of each other and can be used simultaneously. Note: Some software such as GPG can lock the CCID USB interface, preventing another software from accessing applications that use that mode.

 

Storage

YubiKey Application Firmware 5.7+ Firmware 5.0 - 5.6
FIDO2 Up to 100 discoverable credentials (unlimited non-discoverable) Up to 25 discoverable credentials (unlimited non-discoverable)
FIDO U2F Unlimited credentials Unlimited credentials
PIV (Smart card) Up to 24 certificates* Up to 24 certificates*
OATH Up to 64 credentials Up to 32 credentials
OTP Up to 2 credentials Up to 2 credentials
OpenPGP Up to 3 subkeys (signature, encryption, authentication)** Up to 3 subkeys (signature, encryption, authentication)**

 

*YubiKeys comply with the PIV standard for smart cards. See https://developers.yubico.com/PIV/Introduction/Certificate_slots.html for additional details on this standard and the associated slots. When used with Windows and the YubiKey Smart Card Minidriver, it is possible to load up to 12 certificates and use them for authentication. With standard PIV support (no minidriver, and/or operating systems other than Windows), only one authentication certificate is supported, and it must be stored in slot 9a. Most applications that support PIV (no minidriver) will only read from up to the first 4 slots. The remaining slots are intended to hold retired keys for the purpose of preserving the ability to decrypt encrypted e-mail, etc., and for attestation purposes.

 

**All subkeys must be linked to a single OpenPGP identity, which is established when generating the primary key.

 

Interface

The YubiKey 5Ci uses a USB 2.0 interface. All of the applications are available through this interface.

 

Applications

FIDO2

The FIDO2 application allows for secure single and multi-factor authentication, and can store up to 25 discoverable credentials (100 with firmware 5.7+). These credentials, which are protected by a PIN, enable passwordless login, where the YubiKey, unlocked by a PIN and authorized by touch, can log you in to your accounts without entering a username or password. For FIDO certification information, see YubiKey Hardware FIDO2 AAGUIDs.

 

USB Interface: FIDO

 

More about FIDO2

 

FIDO U2F

The U2F application can hold an unlimited number of U2F credentials.

USB Interface: FIDO

 

PIV (Smart Card)

This application provides a PIV compatible smart card. On Windows, the smart card functionality can be enhanced with the YubiKey Smart Card Minidriver.

 

Default Values:

 

  • PIN: 123456
  • PUK: 12345678
  • Management Key: 010203040506070801020304050607080102030405060708

Supported Algorithms:

 

  • ECC P256
  • ECC P384
  • RSA 1024
  • RSA 2048

Additional Supported Algorithms (firmware 5.7+):

 

  • RSA 3072
  • RSA 4096
  • Ed25519
  • X25519

Management Key Algorithms:

  • TDES
  • AES 128/192/256 (firmware 5.4+)

Slot Information:

 

  • Slot 9a: Authentication
  • Slot 9b: Management Key
  • Slot 9c: Digital Signature
  • Slot 9d: Key Management
  • Slot 9e: Card Authentication
  • Slot f9: Attestation
  • Slots 82-95: Retired Key Management

USB Interface: CCID

 

More info about PIV

 

OATH

The YubiKey 5 Series supports both OATH-TOTP (time based) and OATH-HOTP (counter based). Accessing this application requires Yubico Authenticator.

 

USB Interface: CCID

 

OTP

The OTP application contains two programmable slots, each can hold one of the following credentials:

 

  • Yubico OTP
  • HMAC-SHA1 Challenge-Response
  • Static Password
  • OATH-HOTP

USB Interface: OTP

 

OpenPGP

This application implements version 3.4 of the OpenPGP Smart Card specification starting in firmware version 5.2, which can be used with GnuPG. For firmware versions 5.0-5.1, version 2.0 of the OpenPGP Smart Card specification is implemented.

 

Supported Algorithms:

 

  • RSA 1024
  • RSA 2048
  • RSA 3072
  • RSA 4096

Additional Supported Algorithms (firmware 5.2+):

 

  • secp256r1 
  • secp256k1 
  • secp384r1 
  • secp521r1 
  • brainpoolP256r1 
  • brainpoolP384r1 
  • brainpoolP512r1 
  • curve25519
    • x25519 (decipher only)
    • ed25519 (sign / auth only)

USB Interface: CCID

 

Physical Specifications

Form Factor

Connectors: USB-C, Lightning
Dimensions: 12mm x 40.3mm x 5mm.
Weight: 2.8g

 

Temperatures

Operational range: 0 °C to 40 °C (32 °F to 104 °F)
Storage range: -20 °C to 85 °C (-4 °F to 185 °F)