YubiKey FIPS Series Technical Manual

1 YubiKey FIPS Series Overview

The YubiKey FIPS Series are hardware authentication devices manufactured by Yubico which supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) protocols developed by the FIDO Alliance, with Yubico as a primary contributor and thought leader.

The cryptographic functionality of the YubiKey FIPS Series devices are powered by the FIPS 140-2 certified YubiKey 4 cryptographic module, a single-chip cryptographic processor with a non-extractable key store that handles all of the cryptographic operations. The YubiKey 4 cryptographic module is FIPS 140-2 certified (Overall Level 2, Physical Security Level 3).

YubiKey FIPS Series devices are laser-etched with a “FIPS” marking above the device serial number on the device.

YubiKey FIPS devices

The Yubikey 4 cryptographic module is a secure element that supports multiple protocols designed to be embedded in USB security tokens. The module can generate, store, and perform cryptographic operations for sensitive data and can be utilized via an external touch-button for Test of User Presence in addition to PIN for smart card authentication.The module implements five major functions - Yubico One Time Password (OTP), FIDO Universal 2nd Factor (U2F), PIV-compatible smart card, OpenPGP smart card and OATH OTP authentication.

YubiKey 4 Cryptographic Module, FIPS 140-2 Certificate #: 3204

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3204

YubiKey FIPS Series devices covered by this Certificate

Product Name
Description
YubiKey FIPS
Keychain form factor with USB-A connector
YubiKey Nano FIPS
Nano form factor with USB-A connector
YubiKey C FIPS
Keychain form factor with USB-C connector
YubiKey C Nano FIPS
Nano form factor with USB-C connector

1.1 YubiKey FIPS Sub-Modules

The YubiKey FIPS Series device features are implemented in five sub-modules:.

Sub-Module
Key Features
One Time Password (OTP)
  • 2 Slots for OTP configurations
  •  Supported protocols
    • Yubico OTP 
    • OATH-HOTP
    • Challenge/Response HMAC-SHA1
    • Static password
OATH
  • 32 for OATH credentials
  • Supported protocols
    • OATH-TOTP 
    • OATH-HOTP
  • Supported Algorithms
    • HMAC-SHA1
    • HMAC-SHA256
PIV-compatible
  • 24 slots for private keys
  • Support Key algorithms
    • RSA 2048 
    • ECC P256
    • ECC P384
OpenPGP Card
  • PGP Smart Card V2.0
  • Supported Algorithms
    • RSA 2048
    • RSA 3072
    • RSA 4096 (imported only)
FIDO U2F
  • FIDO U2F

2 Deploying YubiKey FIPS Series in FIPS Approved Mode

When using a YubiKey FIPS Series device as an authenticator in a FIPS environment, all of the sub-modules must be in a FIPS approved mode of operation for the YubiKey FIPS Series device as a whole to be considered as operating in a FIPS approved mode. By default, not all of the sub-modules on the YubiKey FIPS Series device are in a FIPS mode of operation. The Crypto Officer deploying the YubiKey FIPS Series device in a secured environment must define and supervise an initialization and delivery process which ensures that each sub-module on the YubiKey FIPS Series device is in a FIPS approved mode of operation before being deployed to user.

The sub-modules on the YubiKey FIPS Series device must be configured in a FIPS approved mode; this can be done using the YubiKey Manager Command Line Interface (CLI) available in the downloads for Windows and macOS at https://www.yubico.com/products/services-software/download/yubikey-manager/.

The PIV and OpenPGP sub-modules have their respective credentials set to default values, and as such are already in a FIPS approved mode. The OTP, OATH and U2F sub-modules must all have their respective credentials set to be in a FIPS mode. The YubiKey Manager can verify the YubiKey FIPS Series device is in a FIPS approved mode of operation with the command:

    ykman info

However, it is highly recommended that all of the credentials across all of the sub-modules are changed from the default values before the YubiKey FIPS Series device is deployed to the end user. 

Credentials and Allowed Values

Sub-module
Credential
Allowed Values
Credential owner
One Time Password (OTP)
  • Access Code: OTP Slot 1
  • Access Code: OTP Slot 2
  • 6 byte access codes
  • 6 byte access codes
  • Crypto Officer
OATH
  • Authentication Key
  • 14-64 byte HMAC SHA1/SHA256 key
  • Crypto Officer
PIV Smart Card
  • Management Key
  • PUK
  • 3-key TDES key
  •  6-8 byte PIN
  • Crypto Officer
  • PIN
  •  6-8 byte PIN
  • Authenticated User
OpenPGP Smart Card
  • Admin Password (PW3) 
  • Reset Code (RC, Optional)
  • 8 to 127 byte PIN
  • 8 to 127 byte PIN
  • Crypto Officer
  • User Password (PW1)
  • 6 to 127 byte PIN
  • Authenticated User
U2F
  • PIN
  • 6 to 32 byte PIN
  • Crypto Officer

2.1 One Time Password (OTP)

2.1.1 Overview

The YubiKey FIPS OTP sub-module supports 2 independent OTP configurations, known as OTP slots. The OTP slots can be configured to output an OTP created with the Yubico OTP or OATH-HOTP algorithm, a HMAC-SHA1 hashed response to a provided challenge or a static password. The OTP slot 1’s output is triggered via a short touch (1~3 seconds) on the gold capacitance sensor and the OTP slot 2’s is triggered via a long touch (+3 seconds).

  • When set, an Access Code for each OTP slot is required when modifying, overwriting or deleting the configuration on the respective OTP slot.

2.1.2 Placing the OTP Sub-Module in FIPS Approved Mode

Each OTP slot must be locked down with a Access Code for the YubiKey FIPS OTP sub-module to be in a FIPS approved mode of operation. By default, no Access Codes are set for either slot. 

An Access Code must be applied to either OTP slot either when writing a new configuration or by updating the configuration in an OTP slot where one is already present. An Access Code cannot be set to an empty OTP slot. To secure an unused OTP slot, a blank OTP configuration with an Access Code must be used. 

YubiKey FIPS Series devices must either be deployed with the OTP slots already set with an Access Code, or with a OTP application or service which configures the Access Code on both slots on enrollment. The OTP slot Access codes must be archived in a manner which only allows the Crypto Officer access to them, as the Access Codes are used when resetting the OTP Sub-module.

The Crypto Officer can set an Access code to the OTP slots using the YubiKey Manager Command Line Interface (CLI) available at: https://www.yubico.com/products/services-software/download/yubikey-manager/

To apply an Access Code to a new configuration using the YubiKey Manager CLI, include the flag --access-code=<access code> in the OTP configuration string. The command must be of the format:

ykman otp --access-code=<access code> [OTP configuration]

Where <access code> is the Access Code to be set, and [OTP configuration] is the configuration being loaded. The Access Code must be a hexadecimal string exactly 12 characters in length (6 bytes). For full details on setting an OTP configuration using the YubiKey Manager CLI, see the YubiKey Manager documentation.

To fill a blank OTP configuration with an access code, use the command:

ykman otp --access-code=<access code> \
    chalresp <slot> 000000000000000000000000000000

Where <access code> is the Access Code to be set, and <slot> is either “1” or “2” (without quotes) depending on if the OTP configuration is being applied to OTP slot 1 or OTP slot 2.

To apply an Access Code to an existing configuration using the YubiKey Manager CLI, use the command:

ykman otp --access-code=<access code> settings <slot> 

Where <access code> is the Access Code to be set, and <slot> is the OTP slot with the existing configuration to be secured.

2.1.3 Verifying the OTP Sub-Module is in FIPS Approved Mode

To verify the YubiKey FIPS OTP sub-module has access codes set for both OTP slots and is in a FIPS approved mode, use the command:

 ykman otp info 

2.1.4 Recommended OTP Settings

YubiKey FIPS OTP sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS approved mode.

2.1.5 Resetting the OTP Sub-Module

To reset the YubiKey FIPS OTP sub-module, both OTP Slot 1 and OTP Slot 2 must be independently have their loaded configuration and encryption keys deleted. This process cannot be reversed and the OTP configurations or secrets cannot be recovered or restored. Resetting the OTP slots will remove the access code as part of the configurations for either OTP slot. To delete the configuration in an OTP slot, use the command:

ykman otp --access-code=<access code> delete <slot>

Where <slot> is slot being deleted and <access code> is the access code for that slot. The Access Code must be provided for deleting the slots, which should be recorded and accessible by the Crypto Officer. This command must be run for both slots to reset the YubiKey FIPS OTP sub-module.

2.2 OATH

2.2.1 Overview

The YubiKey FIPS OATH sub-module supports up to 32 OATH credentials, either OATH-HOTP or OATH-TOTP, as defined in the OATH Specification. When utilizing the YubiKey FIPS OATH sub-module, management and usage of the OATH sub-module and Authentication key should be handled by the Yubico Authenticator or other YubiKey FIPS OATH sub-module compatible applications.

  • The Authentication Key is required when adding, deleting and generating OATH credentials. 

2.2.2 Placing the OATH Sub-Module in FIPS Approved Mode

Access to the YubiKey FIPS OATH sub-module must be protected with an Authentication Key for the sub-module to be in a FIPS approved mode of operation. By default, no Authentication Key is set.

The Crypto Officer can set Authentication Key using the YubiKey Manager Command Line Interface (CLI) available at https://www.yubico.com/products/services-software/download/yubikey-manager/.

To set an Authentication Key using the YubiKey Manager CLI, use the command:

ykman oath set-password -n=<Authentication Key>

Where <Authentication Key> is the Authentication Key to be set. The Authentication Key must be an alphanumeric string between 14 and 64 characters in length.

WARNING: Setting the Authentication Key to a value less then 14 characters in length will cause ykman to pad the entered value with 0's until it is 14 characters long. This will allow shorter Authentication Keys to be accepted, but is not recommended.

2.2.3 Verifying the OATH Sub-Module is in FIPS Approved Mode

Use the YubiKey Manager CLI to verify the YubiKey FIPS OATH sub-module is protected with an Authentication Key and in a FIPS Approved mode. This can be done with the command:

ykman oath info

2.2.4 Recommended OATH Settings

YubiKey FIPS OATH sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS approved mode.

2.2.5 Resetting the OATH Sub-Module

The YubiKey FIPS OATH sub-module can be reset using the YubiKey Manager CLI. To reset the YubiKey FIPS OATH sub-module, use the command:

ykman oath reset

Resetting the YubiKey FIPS OATH sub-module will remove all loaded OATH credentials, after which they cannot be recovered or restored, as well as the Authentication Key. 

2.3 PIV Smart Card

2.3.1 Overview

The YubiKey FIPS PIV sub-module implements a PIV compatible standard as defined in the NIST SP 800-73-4 publication. Access to functions on the YubiKey FIPS PIV sub-module are restricted by the Management Key, the PIN and the PUK.

  • The Management key is used for: 
    • Importing or generating asymmetric key pairs
    • Importing x.509 certificates and associated information
    • Setting the retry counters for PIN (also requires PIN) and PUK
  • The PIN is used to:
    • Perform cryptographic operations using private keys
    • Changing the PIN
  • The PUK is used to:
    • Unblock and set a new PIN for a blocked PIN
    • Change the PUK

The YubiKey FIPS PIV sub-module has the default values: 

  • Management Key (010203040506070801020304050607080102030405060708
  • PIN (123456
  • PUK (12345678)

2.3.2 Placing the PIV Sub-Module in FIPS Approved Mode

By default the YubiKey FIPS PIV sub-module in the FIPS Approved mode of operation. To change the default Management Key, PIN and PUK, follow the recommended PIV settings to secure the sub-module. 

2.3.3 Verifying the PIV Sub-Module is in FIPS Approved Mode

The YubiKey FIPS PIV sub-module is always in a FIPS Approved Mode as the Management Key, PIN and PUK are never undefined.

2.3.4 Recommended PIV Settings

YubiKey FIPS devices should be deployed using a credential management tool like Microsoft ADCS with YubiKey mini-driver or 3rd party. The credential management tool will replace the default values by automatically setting a random value for the management key and PUK, and allow the end user to define the PIN.

If the YubiKey FIPS PIV sub-module is not being managed with a credential management tool, the Management Key, PIN and PUK must be changed by the Crypto Officer. To do so, the YubiKey Manager Command Line Interface (CLI) available at https://www.yubico.com/products/services-software/download/yubikey-manager/ can be used.

To change the Management Key, use the command:

ykman piv change-management-key \
      -m010203040506070801020304050607080102030405060708 \
      -n
<management key>

Where <management key> is the new management key.

To change the PIN, use the command: 

ykman piv change-pin -P123456 -n<PIN>

Where <PIN> is the new PIN.

To change the PUK, use the command: 

ykman piv change-puk -p12345678 -n<PUK>

Where <PUK> is the new PUK.

2.3.5 Resetting the PIV Sub-Module

The YubiKey FIPS PIV sub-module can only be reset if both the PIN and the PUK are blocked due to failed authentication attempts exceeding their retry counters. Once the PIN and PUK are blocked, the YubiKey FIPS PIV sub-module can be reset using the YubiKey Manager CLI with the command:

ykman piv reset

Once reset, all data within the YubiKey FIPS PIV sub-module (keys, certificates and information in other data objects) will be removed and cannot be recovered. The only exception is the attestation certificate, which will persist. Resetting the YubiKey FIPS PIV sub-module will restore the Management Key, PIN and PUK to the default values.

2.4 OpenPGP Smart Card

2.4.1 Overview

The YubiKey FIPS OpenPGP sub-module implements the OpenPGP card 2.0 specification. The functions on the OpenPGP sub-module are secured with User Password (PW1), Admin Password (PW3) and optionally the Reset Code (RC). 

  • The Admin Password (PW3) is used for:
    • Importing or generating asymmetric key pairs
    • Reading from or writing to admin data objects
    • Unblocking the User Password (PW1)
    • Setting the Reset Code (RC)
    • Setting the retry counters for PW1 and PW3
  • The User Password (PW1) is used for:
    • Performing cryptographic operations using private keys
    • Reading from or writing to user data objects
  • The Reset Code (RC) is used for:
    • Unblocking the User Password (PW1)

The YubiKey FIPS OpenPGP sub-module has default values:

  • User Password (PW1) (123456)
  • Admin Password (PW3) (12345678)
  • The Reset Code (RC) is optional and does not have a default value.

2.4.2 Placing the OpenPGP Sub-Module in FIPS Approved Mode

By default, the YubiKey FIPS OpenPGP sub-module is in the FIPS Approved mode of operation. To change the default User Password, Admin Password or set a Reset Code, follow the recommended OpenPGP settings to secure the sub-module.

2.4.3 Verifying the OpenPGP Sub-Module is in FIPS Approved Mode

The YubiKey FIPS OpenPGP sub-module is always in a FIPS Approved Mode as the Admin Password and User Password are never undefined.

2.4.4 Recommended OpenPGP Settings

YubiKey FIPS Series devices should be deployed using an OpenPGP application, such as GPG4Win, on Windows for OpenPGP card management. 

The User Password (PW1) and Admin Password (PW3) must be changed from the default values. For more details on the process to change the User Password (PW1) and Admin Password (PW3) or to set a Reset Code (RC), refer to the GnuPG man pages.

2.4.5 Resetting the OpenPGP Sub-Module

The YubiKey FIPS OpenPGP sub-module can be reset at any time. YubiKey FIPS OpenPGP sub-module can be reset using the YubiKey Manager CLI with the command:

ykman openpgp reset

Once reset, all data within the YubiKey FIPS OpenPGP sub-module (keys and information in data objects) will be removed and cannot be recovered. Resetting the YubiKey FIPS OpenPGP sub-module will restore the Admin Password and User Password to the default values, and will remove the Reset Code if set previously.

2.5 U2F

2.5.1 Overview

The YubiKey FIPS U2F sub-module supports the FIDO U2F standard as defined by the FIDO Alliance U2F Specification. In addition to the functionality detailed by the FIDO U2F specification, the YubiKey FIPS U2F sub-module allows setting an Admin PIN.

  • When set, the Admin PIN is required to register the U2F sub-module to new FIDO U2F services or accounts. Authentication to those services afterwards does not require the Admin PIN to be supplied.

2.5.2 Placing the U2F Sub-Module in FIPS Approved Mode

For the YubiKey FIPS U2F sub-module to be in a FIPS approved mode of operation, an Admin PIN must be set. By default, no Admin PIN is set. Further, if the YubiKey FIPS U2F sub-module has been reset, it cannot be set into a FIPS approved mode of operation, even with the Admin PIN set.

To set or change the Admin PIN, the YubiKey Manager Command Line Interface (CLI) must be used. To set an Admin PIN using the YubiKey Manager CLI, use the command:

ykman fido set-pin --u2f -n<Admin PIN>

Where <Admin PIN> is the Admin PIN to be set. The Admin PIN must be a alphanumeric string between 6 and 32 characters long.

2.5.3 Verifying the PIV Sub-Module is in FIPS Approved Mode

Use the YubiKey Manager CLI to verify the YubiKey FIPS U2F sub-module is in a FIPS Approved mode. This can be done with the command:

ykman fido info

If the Admin PIN is set and the YubiKey FIPS U2F sub-module has not been reset previously, then the command will indicate the U2F sub-module is in the FIPS approved mode.

2.5.4 Recommended U2F Settings

YubiKey FIPS U2F sub-module will satisfy the security recommendation if the sub-module is operating in the FIPS approved mode.

WARNING: The FIDO U2F Standard does not support the user entering a U2F Admin PIN at registration currently.

To supply the Admin PIN, use ykman and the command:

ykman fido unlock -P<Admin PIN>

Where <Admin PIN> is the Admin PIN set. This will unlock the YubiKey FIPS U2F sub-module for U2F registration on all U2F clients, including supported browsers, until the YubiKey FIPS Series device is power-cycled. Once unlocked, U2F registration proceeds as normal.

2.5.5 Resetting the U2F Sub-Module

The YubiKey FIPS U2F sub-module can be reset using the YubiKey Manager CLI. To reset the YubiKey FIPS U2F sub-module, use the command:

ykman fido reset

Resetting the YubiKey FIPS U2F sub-module will regenerate the U2F key wrapping key and thus disabling all the U2F credentials associated with the device. The device cannot be used to authenticate to previously registered U2F services or accounts. During the reset process, the U2F attestation certificate will be overwritten with a hard-coded, self-signed attestation certificate.

WARNING: Resetting the YubiKey FIPS U2F sub-module will prevent the sub-module to be set to the approved FIPS mode of operation afterwards. This in turn will prevent the YubiKey FIPS device from being set into the FIPS approved mode overall, and it can no longer be deployed as a FIPS authenticator. Further, some U2F sites or services may not support the replacement self-signed attestation key due to requiring an attestation certificate with an verified chain to a trusted root. For U2F sites or services where this is a requirement, the reset YubiKey FIPS U2F sub-module will not be able to register or authenticate to them.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.