5

Its a simple question but there's no answer in the Yubico's website

When I recive a Yubico (from the Yubico 4 series), I know I can sign code, for example. But how is the key inside it generated? Is it generated on the manufacturing process? Can I generate a key in mmy computer and upload to it?

Improve this question
2
  • Can you specify which key you're referring to? The key used in U2F, or a PGP key?
    – Hartman
    Commented Sep 6, 2017 at 6:23
  • The keys in the 4 series are all capable of the same things, which includes PGP
    – Guerlando OCs
    Commented Sep 7, 2017 at 2:31

1 Answer 1

Reset to default
8

U2F

The keys used in U2F are generated by the device it self, you can't do it yourself. Yubico's Developer webpage explain it very clearly. For short, take a look the graph below.U2F Private Key Generation Description

Device Secret is generated in manufacture phrase. As far as I know, this secret can't changed by a software tweak. AppID is equal to web service URL. At the time of generation, an integrated RNG will generate a Nonce, feed in to a HMAC-SHA256 with AppID, keyed with the device secret, the output is the private key. Then feed the private key and the AppID into the HMAC function again, concatenate the output and the nonce, which becomes the key handle. Public key is generate by the private key, and sent it with the key handle to the web service.

X.509/PIV

This is the part about code signing and the key to do. Yes, you can generate a private key on your own machine and upload it to the Yubikey. Take a look Yubico's PIV explanation. Especially articles under Introduction/Certificate slots, Tools/YubiKey PIV Manager(if you use Windows) and Guides.

OpenPGP

Yubico is a bit lack of explaining this part, so I found a great GitHub repo contributed by drduh where it contain a full explanation how to use OpenPGP with Yubikey.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .