10.2 Keys for Yubico smart cards

This section provides information you need when setting up keys for Yubico cards.

Note: Information about default keys for YubiKey 5 cards is available from the YubiKey 5 Series Technical Manual

10.2.1 Cryptographic keys for Yubico cards

When you configure the cryptographic keys, use the following details:

 

YubiKey 4

YubiKey 5

YubiKey FIPS

Credential Type in MyID

YubiKey 4

YubiKey 5

YubiKey FIPS

GlobalPlatform Secure Channel

n/a

n/a

n/a

Factory GlobalPlatform Key Type

n/a

n/a

n/a

Factory GlobalPlatform Key Diversification Algorithm

n/a

n/a

n/a

Factory PIV 9B Key Encryption Type

3DES

3DES

3DES

PIV 9B Factory Key Diversity

Static

Static

Static

Recommended PIV 9B Customer Key Diversity

Diverse2

Diverse2

Diverse2

 

 

 

YubiKey SC

YubiKey SC FIPS

Static
Factory

Diverse
Factory

Static
Factory

Diverse
Factory

Credential Type in MyID

YubiKey SC

YubiKey SC

YubiKey SC FIPS

YubiKey SC FIPS

GlobalPlatform Secure Channel

SCP03

SCP03

SCP03

SCP03

Factory GlobalPlatform Key Type

AES128

AES128

AES128

AES128

Factory GlobalPlatform Key Diversification Algorithm

Static

DiverseYB108

Static

DiverseYB108

Factory PIV 9B Key Encryption Type

3DES

AES256

3DES

AES256

PIV 9B Factory Key Diversity

Static

DiverseYB108

Static

DiverseYB108

Recommended PIV 9B Customer Key Diversity

DiverseYB108

DiverseYB108

DiverseYB108

DiverseYB108

YubiKey SC and YubiKey SC FIPS devices may be provided in two different configurations, one with static factory keys, and the other with diverse factory keys.

YubiKey SC and YubiKey SC FIPS also support the following keys:

10.2.2 Setting up the PIV PUK key

The PIV PUK diversifies the PUK / SOPIN. If the devices are provided to you with factory keys that are diversified, you can configure the keys in the Key Manager workflow.

If no factory keys are configured, MyID uses the default PUK 12345678.

To configure a factory PIV PUK key:

  1. From the Configuration category, select the Key Manager workflow.
  2. From the Select Key Type to Manage drop-down list, select PIV PUK.
  3. Click Next.
  4. Click Add New Key.

  5. Set the following values:

    • Credential Type: YubiKey SC or YubiKey SC FIPS
    • Key Type: Factory
    • Key Diversity: DiverseYB108
    • Encryption Type: AES256

  6. Enter the Encryption Key.

    If required, you can use a key ceremony; select Use Key Ceremony, click Enter Keys, and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.

  7. Click Save.

If required, you can also configure customer keys in the Key Manager workflow. If no customer keys are configured, MyID applies the Security Officer PIN Type configuration (on the Device Security page of the Security Settings workflow) which can be Factory or Random.

To configure a customer PIV PUK key:

  1. From the Configuration category, select the Key Manager workflow.
  2. From the Select Key Type to Manage drop-down list, select PIV PUK.
  3. Click Next.
  4. Click Add New Key.

  5. Set the following values:

    • Credential Type: YubiKey SC or YubiKey SC FIPS
    • Key Type: Customer
    • Key Diversity: DiverseYB108
    • Encryption Type: AES256

  6. Select one of the following options:

    • Automatically Generate Encryption Key in Software and Store on Database – the key is automatically generated and stored in the database.

    • Encryption Key – type the key into the box. Optionally, you can include the KeyChecksum Value.

    • Automatically Generate Encryption Key on HSM and Store on HSM – this option generates a key on the HSM.

      Note: The HSM options appear only if your system is configured to use an HSM.

    • Existing HSM Key Label – if you have an existing key on your HSM that you want to use, type its label.
    • Use Key Ceremony – click Enter Keys and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.
  7. Click Save.

10.2.3 Setting up the Configuration Lock Code

The Configuration Lock Code locks the configuration of the supported interfaces. If the devices are provided to you with factory keys that are diversified, you can configure the keys in the Key Manager workflow.

If no factory keys are configured, MyID will assume the interfaces are not secured out of the factory.

To configure a factory Configuration Lock Code key:

  1. From the Configuration category, select the Key Manager workflow.
  2. From the Select Key Type to Manage drop-down list, select Configuration Lock Code.
  3. Click Next.
  4. Click Add New Key.

  5. Set the following values:

    • Credential Type: YubiKey SC or YubiKey SC FIPS
    • Key Type: Factory
    • Key Diversity: DiverseYB108
    • Encryption Type: AES256

  6. Enter the Encryption Key.

    If required, you can use a key ceremony; select Use Key Ceremony, click Enter Keys, and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.

  7. Click Save.

If required, you can also configure customer keys in the Key Manager workflow. If no customer keys are configured, MyID will not change the factory key (if configured) or will not secure the interface configuration (if no factory key is configured).

To configure a customer PIV PUK key:

  1. From the Configuration category, select the Key Manager workflow.
  2. From the Select Key Type to Manage drop-down list, select Configuration Lock Code.
  3. Click Next.
  4. Click Add New Key.

  5. Set the following values:

    • Credential Type: YubiKey SC or YubiKey SC FIPS
    • Key Type: Customer
    • Key Diversity: DiverseYB108
    • Encryption Type: AES256

  6. Select one of the following options:

    • Automatically Generate Encryption Key in Software and Store on Database – the key is automatically generated and stored in the database.

    • Encryption Key – type the key into the box. Optionally, you can include the KeyChecksum Value.

    • Automatically Generate Encryption Key on HSM and Store on HSM – this option generates a key on the HSM.

      Note: The HSM options appear only if your system is configured to use an HSM.

    • Existing HSM Key Label – if you have an existing key on your HSM that you want to use, type its label.
    • Use Key Ceremony – click Enter Keys and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.
  7. Click Save.