YubiKey

YubiKey 4 on the key ring and next to it the Nano design

The YubiKey is a security token from Yubico that is used with interfaces such as Near Field Communication (NFC) or USB and various protocols to identify and authenticate users on computer systems. Among other things, it allows secure passwordless authentication. Yubico uses open source software such as OpenPGP and open standards such as U2F for two-factor authentication for the Microsoft Windows , macOS and Linux operating systems . For security reasons, software on YubiKey can neither be read nor changed. In the event of an update, the device must be replaced by a new model. Secret private key data can be generated on the token or written to the token, but not subsequently read out.

Since the YubiKey hardware - in contrast to competing products such as the Nitrokey family from Nitrokey or the Solo family from SoloKeys - is not open source , independent tests for backdoors or security gaps are hardly possible.

construction

YubiKeys are housed in waterproof housings. They contain a USB port with USB-A connector or the newer USB-C connector as the primary interface . The button on the security token required for some operating modes to confirm an action is designed as a sensor button with no mechanically moving parts. YubiKey Neo and YubiKey 5 include a contactless NFC interface, and the power supply for the YubiKey is also provided via NFC. The range of functions is identical for both interfaces.

The YubiKey 4 and YubiKey NEO models use a microcontroller from NXP Semiconductors . In the successor model YubiKey 5, the number of components has been reduced. The used crypto processor from Infineon type SLE 78CLUFX5000PH allows Sicherheitszertifizierbarkeit to stage EAL6 . It is protected against read-out of saved memories and all interfaces such as USB connection and NFC interface.

Logs

YubiKeys can emulate three different types of virtual USB devices via the USB interface and thus offer a wide range of functions: OTP , FIDO and CCID . The three USB protocols can be combined with each other or, if not required, can also be deactivated.

The USB protocol OTP, derived from the term one-time pad, represents the original USB protocol for security token. It allows the YubiKey the configuration of two so-called slots , German about storage locations . Each slot can independently accommodate a function including the necessary data such as secret keys. With YubiKey 4 these are the following options for OTP:

• Yubico OTP, a proprietary one-time pad process from Yubico.
• Challenge-response authentication using HMAC-SHA1 .
• Static password. The YubiKey emulates a virtual USB keyboard and thus allows the password to be entered directly into the password field in the respective application without additional software.
• HOTP according to the Initiative For Open Authentication (OATH).

The respective OTP function can or must be linked to the sensor key, i. H. to release one expresses one's consent by pressing a button. Depending on how long you press the button, the function is triggered from slot 1 or slot 2.

With the USB protocol FIDO (for FIDO Alliance ), the YubiKey provides the Universal Second Factor ( U2F ). The Yubico FIDO model only offers the FIDO USB protocol. The U2F procedure requires the confirmation of the user on the token, as otherwise the token refuses the U2F response. This function is taken over by the sensor key, which must be pressed once for each U2F action. In the context of U2F, in contrast to other operational data, no user-specific data is stored on the token. YubiKey 5 also supports the W3C standard WebAuthn , which is part of the FIDO2 project and is based on U2F and UAF ( English Universal Authentication Framework ).

With the third USB protocol CCID , the YubiKey emulates a chip card reader on the USB port and offers unchangeable smart card applications programmed by the manufacturer that comply with the ISO 7816 chip card standard . The following CCID applications, among others, are available on the YubiKey 4 (these require appropriate software on the host system):

In October 2017 it became known that the CCID application OpenPGP, which is used, among other things, for the YubiKey 4 is based on the defective RSALib software library from Infineon , which makes the generation of RSA key pairs directly on the token susceptible to ROCA vulnerability . Yubico replaced affected devices with new YubiKeys free of charge.