Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support 4096 bit RSA keys for Yubikey 4 #58

Closed
ribbons opened this Issue Jan 1, 2016 · 11 comments

Comments

Projects
None yet
7 participants
@ribbons
Copy link

commented Jan 1, 2016

It would be great to be able to generate and import 4096 bit RSA keys with this tool, now that the Yubikey 4 supports 4096 bit RSA keys.

@klali

This comment has been minimized.

Copy link
Member

commented Jan 4, 2016

YubiKey 4 doesn't support rsa 4096 for piv since it's not defined in the piv specs.

@klali klali closed this Jan 4, 2016

@rcdailey

This comment has been minimized.

Copy link

commented Nov 30, 2018

Does Yubikey 5 NFC support 4096 RSA keys?

@rthille

This comment has been minimized.

Copy link

commented Nov 30, 2018

It looks to me like the current(?) spec from 2015 doesn't support anything but 2048-bit RSA keys: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-78-4.pdf

@rcdailey

This comment has been minimized.

Copy link

commented Nov 30, 2018

I am new to Yubikey and was searching Google to see if I can use it to log into my Ubuntu server using my existing 4096 bit RSA keys, but it doesn't seem so :(

@mouse07410

This comment has been minimized.

Copy link

commented Nov 30, 2018

Yubico offers YubiHSM2 device, which would an overkill for what you seem to need (mostly because it costs 10 times more than a YubiKey), but if money is not a concern - it supports 4096-bit RSA, and many other nice things (e.g., ECDSA, EdDSA, PSS, OAEP).

I've been working with it, and am quite happy - but my office paid for it.

@rthille

This comment has been minimized.

Copy link

commented Nov 30, 2018

You could always get a Tomu ( https://Tomu.im/ ) and put whatever necessary software on it.

@uschwarz

This comment has been minimized.

Copy link

commented Dec 30, 2018

Well, looking at a sunset of 12/2022 for 2048-bit RSA keys (BSI TR-02102-1), I guess I don't even need to do feasibility tests with Yubikeys for our org then, and others in the higher ed sector in Germany will be in the same situation.

@arcticskew

This comment has been minimized.

Copy link

commented Mar 15, 2019

Yubikey 4 and up support 4096 bit keys through PGP just not PIV.

@mouse07410

This comment has been minimized.

Copy link

commented Mar 15, 2019

And that is a problem, as with the sunset of RSA-2048, usefulness of PIV devices that can't go higher would decline sharply. Since OpenPGP applet cannot be used in PIV context, draw your own conclusions...

@arcticskew

This comment has been minimized.

Copy link

commented Mar 15, 2019

True though it sounds like the PIV standard itself is the issue not the Yubikey implementation, so there would not be other PIV devices to use instead.

@mouse07410

This comment has been minimized.

Copy link

commented Mar 15, 2019

I'm sure PIV would not be the first standard that vendors extend when the standard stops being sufficient for the market needs. The one question is when, how, and who would start it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.