3

Using the Yubico PIV Tools and YubiKey PIV Manager, I can load my client TLS certificate into the PIV slot and use it for authentication in Firefox. This is great. However...

Is there any way to prevent export of the private key of the PIV? As far as I can tell, the PIV management key only protects the device from modification, but does nothing to protect the contained contents from export.

If this is accurate, the YubiKey doesn't really seem to function as a PIV 2FA device, since 2-factor presumes "something you have", and any machine I plug the device into (or software running in the background) can just make fully functional soft copy.

I cross-posted this question in the Yubico forums.

Here's how I demonstrated the problem:

  1. Exported cert via "YubiKey PIV Manager" (my-cert.crt)
  2. Deleted cert from YubiKey via "YubiKey PIV Manager"
  3. Imported cert via "YubiKey PIV Manager" (my-cert.crt)
  4. Restarted Firefox (with OpenSC loaded)
  5. I was still able to authenticate via PIV
Ryan
  • 1,171
  • 1
  • 10
  • 23

1 Answers1

9

TL;DR

YubiKey does not allow export of the private key, just the public cert. Instead I was demontrating (what I see as) a bug in YubiKey PIV Manager. It doesn't delete private keys properly.

Kudos Yubico

First off, although I am going to point out what I see as a bug in YubiKey, I have to say, I was extremely impressed with the end-user support provided by Yubico. And I quote:

we try to help everyone who submits a support case. even the white haired grandma next door

Properly Clearing the PIV Private Key

Since "Delete certificate" didn't delete the private key from the YubiKey, re-loading the public key (which can be exported by YubiKey) resulted in a functional PIV interface.

I was able to demonstrate two other methods that actually do clear the private key:

Method 1: Load a Different Cert

I wasn't able to authenticate when I:

  1. Loaded my cert and exported a copy from yubikey (my-cert.crt)
  2. Loaded a different pfx/p12 file
  3. Loaded my-cert.crt

Method 1.1: Generate a Random Cert

It recently dawned on me that this is the simplest method. Just a couple of button pushes in the "YubiKey PIV Manager".

Method 2: "Reset" the PIV Module

I wasn't able to authenticate when I:

  1. Loaded my cert and exported a copy from yubikey (my-cert.crt)

  2. "Reset" my yubikey PIV module

    • I reset with this command: yubico-piv-tool -areset

    • Strangely, I had lock out my PIN and PUK first. The easiest way to run the following commands and input bad inputs more than 3 times (In the case of PUK, you have to enter a valid new PIN and a bad PUK. Ugh.):

      # Use to lock out PIN
yubico-piv-tool -averify-pin
# Use to lock out PUK
yubico-piv-tool -aunblock-pin

Is this a Bug?

Considering how painful the other two methods of resetting the private key are, "Delete certificate" is by far the easiest method of "wiping" your cert from the device. Nothing suggests the other two methods are necessary.

Yubico suggested that "reset" was the recommended action before passing the device off to another user.

Personally, I see this as a bug, but I don't know if Yubico is sold yet.

Here's the bad scenario I envision:

  • I load my public/private key pair
  • I delete my public key from the device (but silently leave the private key intact)
  • I reset the admin PIN
  • I hand the device over to someone else to use
  • The second person uploads my public cert and gets a working copy of my public/private pair
Ryan
  • 1,171
  • 1
  • 10
  • 23
  • 1
    Has this been fixed? – bers Feb 12 '20 at 07:19
  • 1
    @bers it seems yes. Just reproduced the exporting, deleting and reimporting of the certificate on a yubikey; without resetting the PIV. Was not able anymore to login on windows fortunately - as mentioned from @Ryan; the private key is missing in the exported key. – TefoD Dec 25 '21 at 05:38