YubiKey FIPS (4 Series) CMVP historical validation list


Summary

As cryptographic modules and guidance has revisions, the YubiKey FIPS (4 Series) will be moved to the CMVP Historical List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program

This does not mean that the overall FIPS-140 certificates for the module have been revoked, rather it indicates that the certificates support functionality that does not align with the latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques can be used in an approved mode of operation after June 30, 2022. 

The YubiKey FIPS (4 Series) current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will therefore be moved to the Historical List. Specifically the PIV application when using the ECC algorithm for decryption is affected. Companies may make a risk determination on whether to continue using the modules on the Historical List based on their own assessment of where and how the module is used.

 

Affected

YubiKey FIPS (4 Series) - all firmware versions under the Affected scenarios section below for information about what the specific use case will be impacted.

  • YubiKey FIPS
  • YubiKey Nano FIPS
  • YubiKey C FIPS
  • YubiKey C Nano FIPS

Not affected devices

  • YubiKey 5 FIPS Series validated and YubiKey 5 Series (non-FIPS) devices are not affected.
  • YubiKey 4 Series (non-FIPS) are not affected.
  • Security Key Series are not affected.

 

Affected scenarios

The YubiKey FIPS (4 Series) current implementation of ECDH does not meet SP 800-56A Rev3 compliance requirements and will be moved to the Historical List. Specifically the PIV application when using the ECC algorithm for decryption is affected. The ECC algorithm is not the default for decryption. 

Other use cases with PIV and ECC are not affected. PIV with RSA for decryption is not affected. FIDO2, FIDO U2F, OATH, Yubico OTP, and OpenPGP are not affected.

 

How to tell if you are affected

FIPS_4_series_decision.png

 

A possible use case where an ECC cert may be used for decryption is email encryption/decryption. Yubico estimates very few customers are using ECC for decryption based on application support available, however, customers could choose this option as a use case.

If the flow chart above determines you may be impacted by this change, but are unsure if the certificates on your YubiKey are ECC, the options below provide steps to check.

 

Option 1 - confirm algorithm in use using ykman cli (preferred)

  1. With YubiKey Manager installed (free, open-source application provided by Yubico), using Command Prompt 
  2. Change directory to the YubiKey Manager program files directory (e.g. cd “C:\Program Files\Yubico\YubiKey Manager”)
  3. Run command ykman piv info

A list of all certificates on the YubiKey will be displayed, including the algorithm (i.e. RSA vs. ECC) used for each certificate.

 

FIPS_4_series_algorithms.png

 

Option 2 - confirm algorithm in use using PowerShell

  1. Within PowerShell, run the command certutil -scinfo
  2. For each certificate present on the YubiKey, Windows Security will ask for the Smart Card PIN.
  3. Once all certificates are read, the Windows Security dialog will display the Certificate List. By clicking the option More choices: all of the certificates can be individually selected.
  4. For each certificate selected, click the option “Click here to view certificate properties”
      • On the Certificate Details page, select the Details tab
      • On the Details tab, the Public key entry will list the algorithm used by the certificate.
  5. Repeat step 4 for each certificate listed.

For both Option 1 and 2 above, if there are no ECC certificates, you are not affected. If certificates using ECC keys are present, review the Customer Actions section below.

 

Customer actions

If you followed the steps above and have identified that you are affected by this issue, there are several options that are available to you identified below. Customers who continue to use PIV with ECC for decryption are encouraged to work with their compliance officer to assess risk, with consideration of SP 800-56A Rev3, and determine if there are any additional impacts.

 

Option 1

Upgrade to the YubiKey FIPS 5 Series, which also includes additional capabilities and form factors. Please contact your Yubico account team or partner to discuss the options available to you. If you do not have a known contact, visit our Contact Sales page for more information.

 

Option 2

For users that require PIV for decryption services, who have previously generated private ECC keys on the YubiKey FIPS (4 Series, firmware version 4.4.5), we recommend regenerating private keys using RSA algorithms. Yubico’s setup instructions for both enroll on behalf and user self enrollment options utilize RSA 2048 by default (per the documentation).

 

Option 3

Do not use PIV for decryption services when using the ECC algorithm.

 

Background

According to NIST reference documents, cryptographic modules may implement various key establishment schemes to establish and maintain secure communication links between modules. Key establishment includes the processes by which secret keying material is securely established between two or more entities. Keying material is data that is necessary to establish and maintain a cryptographic keying relationship. These schemes are classified into key agreement schemes and key transport schemes. Key agreement is a method of key establishment where the resulting keying material is a function of information contributed by two or more participants, so that no party can predetermine the value of the secret keying material independently from the contribution of any other party. Key agreement is performed using key agreement schemes.

On July 1st 2022, validated modules affected by IG D.8 that have not been updated to either reflect the SP 800-56A Rev3 compliance or to remove all the claims of compliance to earlier versions of SP 800-56A in the FIPS approved mode, will be moved to the Historical List. Being listed on the Historical List implies that “the referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used.”

FIPS 140-2 IG D.8 specifies two scenarios (X1 and X2) that can be claimed as approved key agreement methods past July 1, 2022, apart from the RSA based key agreement scheme. Scenario X1 includes compliance to SP 800-56A Rev3 either by implementing just the shared secret computation or the complete key agreement scheme. Scenario X2 corresponds to the use of the ECC scheme based on non-NIST-recommended Elliptic Curves.

From the Cryptographic Module Validation Program site:

If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement. This does not mean that the overall FIPS-140 certificates for these modules have been revoked, rather it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the historical list because of an algorithm transition. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. 

Agencies may make a risk determination on whether to continue using the modules on the historical list based on their own assessment of where and how the module is used.

References:

Issue

The YubiKey FIPS (4 Series) will be moved to the NIST Historical List on July 1, 2022 based on the Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program. Specifically, section D.8 of the Implementation Guidance calls out that only approved and allowed key agreement techniques that can be used in an approved mode of operation after June 30, 2022. 

The current implementation of ECDH on the YubiKey FIPS (4 Series) uses a technique that can no longer be used in an approved mode after June 30, 2022. Specifically the PIV application when using the ECC algorithm for decryption is affected.

 

How do I know whether I have YubiKey FIPS (4 Series) or not?

The YubiKey FIPS (4 Series) are marked “FIPS” and will have firmware version 4.4.2, 4.4.4 or 4.4.5. (note there is a Security advisory YSA-2019-02 on 4.4.2 and 4.4.4). If the YubiKey is not marked “FIPS” but you suspect it is a FIPS device you can also use YubiKey Manager to confirm the YubiKey model and firmware version.

 

identifying_fips_4_series.png

 

An example of the YubiKey Manager view follows.

 

ykman_fips.png

 

If the device has a “v5”, most commonly located next to the QR code with exception of C Nano devices, it is a YubiKey 5 FIPS Series which IS NOT affected.

 

fips_v5.png