yubico

Possible to prevent PIV export (private keys) from yubikey?


Using the Yubico PIV Tools and YubiKey PIV Manager, I can load my client TLS certificate into the PIV slot and use it for authentication in Firefox. This is great. However...

Is there any way to prevent export of the private key of the PIV? As far as I can tell, the PIV management key only protects the device from modification, but does nothing to protect the contained contents from export.

If this is accurate, the YubiKey doesn't really seem to function as a PIV 2FA device, since 2-factor presumes "something you have", and any machine I plug the device into (or software running in the background) can just make fully functional soft copy.

I cross-posted this question in the Yubico forums.

Here's how I demonstrated the problem:

  1. Exported cert via "YubiKey PIV Manager" (my-cert.crt)
  2. Deleted cert from YubiKey via "YubiKey PIV Manager"
  3. Imported cert via "YubiKey PIV Manager" (my-cert.crt)
  4. Restarted Firefox (with OpenSC loaded)
  5. I was still able to authenticate via PIV

Solution

  • TL;DR

    YubiKey does not allow export of the private key, just the public cert. Instead I was demontrating (what I see as) a bug in YubiKey PIV Manager. It doesn't delete private keys properly.

    UPDATE: A comment below suggests this has been patched. I have no verified it, but I would bet it has been in the passing years.

    Kudos Yubico

    First off, although I am going to point out what I see as a bug in YubiKey, I have to say, I was extremely impressed with the end-user support provided by Yubico. And I quote:

    we try to help everyone who submits a support case. even the white haired grandma next door

    Properly Clearing the PIV Private Key

    Since "Delete certificate" didn't delete the private key from the YubiKey, re-loading the public key (which can be exported by YubiKey) resulted in a functional PIV interface.

    I was able to demonstrate two other methods that actually do clear the private key:

    Method 1: Load a Different Cert

    I wasn't able to authenticate when I:

    1. Loaded my cert and exported a copy from yubikey (my-cert.crt)
    2. Loaded a different pfx/p12 file
    3. Loaded my-cert.crt

    Method 1.1: Generate a Random Cert

    It recently dawned on me that this is the simplest method. Just a couple of button pushes in the "YubiKey PIV Manager".

    Method 2: "Reset" the PIV Module

    I wasn't able to authenticate when I:

    1. Loaded my cert and exported a copy from yubikey (my-cert.crt)
    2. "Reset" my yubikey PIV module
      • I reset with this command: yubico-piv-tool -areset

      • Strangely, I had lock out my PIN and PUK first. The easiest way to run the following commands and input bad inputs more than 3 times (In the case of PUK, you have to enter a valid new PIN and a bad PUK. Ugh.):

          # Use to lock out PIN
          yubico-piv-tool -averify-pin
          # Use to lock out PUK
          yubico-piv-tool -aunblock-pin
        

    Is this a Bug?

    Considering how painful the other two methods of resetting the private key are, "Delete certificate" is by far the easiest method of "wiping" your cert from the device. Nothing suggests the other two methods are necessary.

    Yubico suggested that "reset" was the recommended action before passing the device off to another user.

    Personally, I see this as a bug, but I don't know if Yubico is sold yet.

    Here's the bad scenario I envision: