Yubikey 5 HMAC-SHA1 Challenge/Response with APDU commands

Question

I’m developping following this reference guide, I try a simple HMAC-SHA1 Challenge/Response with APDU commands.

I tested the APDU commands with a Yubikey 4 : it works without problems

Using reader: "Yubico Yubikey 4 CCID 0"
Sending APDU: "00a4040008a000000527200101"
APDU response: "040301030300010f00009000"
Sending APDU: "000130000953616d706c65202332"
APDU response: "0922d3405faa3d194f82a45830737d5cc6c75d249000"

The same commands fail with my Yubikey 5 nano :

Using reader: "Yubico YubiKey OTP+CCID 0"
Sending APDU: "00a4040008a000000527200101"
APDU response: "0504030303009000"
Sending APDU: "000130000953616d706c65202332"
APDU response: "6985"

The 69 85 response means "Conditions of use not satisfied."

Both slots are configured for HMAC-SHA1 challenge. I suspect there is some bug in the yubikey 5 firmware : is there something I’m missing ?

Answer 1

I received an answer from the Yubico customer support ; this is a 5.4.3 firmware limitation.

In the YubiKey 5.4.3 firmware, when communicating over a physical connection, the OTP function can only accept APDUs which configure the OTP behaviors. If you would like to access the Challenge-Response over a physical connection, please use the HID interface - this is detailed in the Desktop SDK documentation: https://docs.yubico.com/yesdk/users-manual/application-otp/how-to-calculate-a-challenge-response-code.html. Please be aware that the current limitation is only for the physical connection. When communicating with the YubiKey over NFC, the Challenge-Response function works as expected, and the APDUs will behave in the same manner as observed in the 4.X firmware.