OpenPGP Attestation

Introduction

This document describes the attestation feature added to the OpenPGP module in YubiKey 5.2. For generating attestation certificates, you can use YubiKey Manager CLI (ykman) version 3.1.0 or higher.

Purpose

The concept of attestation is to cryptographically certify that a certain asymmetric key has been generated on device, and not imported. This can be used to prove that no other copies of the asymmetric key exist.

Terminology

Attestation Key

Private signature key to sign the generated Attestation Statement (also called Attesting Key)

Attestation Certificate

X.509 certificate for the Attestation Key, used as template for Attestation Statement

Attested Key

OpenPGP signature, decryption, or authentication key to attest was generated on device

Attestation Statement

Generated X.509 certificate specifying the Attested Key details, signed by the Attestation Key

Implementation

Attestation generates a new X.509 certificate (the Attestation Statement) for the key that is to be attested (Attested Key). The certificate is based on a template X.509 certificate issued by a CA (Attestation Certificate), and signed by the matching Attestation Key. An attestation certificate can only be generated if the attested key has been generated on device. This certificate should only be used for the purpose of verifying that the key was generated in device, not for any other purposes.

Attestation is based on chain of trust:

Attestation__1.png

When an attestation statement is generated, it is placed in the OpenPGP cardholder certificate slot for the attested key. For example, if the signature key is attested, the attestation statement is placed in the SIG cardholder certificate slot (index 2 of DO 0x7F21). Any data currently stored in the cardholder certificate slot is overwritten.

The YubiKey is pre-loaded with an attestation certificate and matching attestation key issued by the Yubico CA. The template and key are replaceable, which permits an individual or organization to issue attestations verifiable with their own CA if they prefer. If replaced, the Yubico template can never be restored. The attestation key and certificate will not be cleared out by a reset of the device.

The attestation key can use any supported algorithm except curve25519. All keys, including curve25519, can be attested.

Attestation Statements are verified by validating the certificate chain in reverse:

Attestation__2.png

Some features of the generated Attestation Statement:

  • Serial will be a random 16 byte integer

  • Issuer will be the subject of the template Attestation Certificate

  • Dates will be copied from the template Attestation Certificate

  • Subject will be the string "YubiKey OPGP Attestation " with the attested slot appended ("SIG", "DEC", or "AUT")

  • If the attestation key is RSA the signature will be SHA256-PKCS#1v1.5

  • If the attestation key is EC the signature will be ECDSA-SHA256

Extensions in the generated certificate:

OID Type Description

1.3.6.1.4.1.41482.5.1

UTF-8 String

Cardholder name

1.3.6.1.4.1.41482.5.2

Integer

Attested key’s source
- 0x00: imported (not permitted)
- 0x01: generated on device

1.3.6.1.4.1.41482.5.3

Octet String (3)

YubiKey version number
ex: 050303 = 5.3.3

1.3.6.1.4.1.41482.5.4

Octet String (20)

Attested key’s fingerprint

1.3.6.1.4.1.41482.5.5

Octet String (4)

Attested key’s generation date

1.3.6.1.4.1.41482.5.6

Integer

Attested key’s signature counter (if applicable)

1.3.6.1.4.1.41482.5.7

Integer

YubiKey’s serial number

1.3.6.1.4.1.41482.5.8

Octet String (1)

User Interaction Flag (UIF)
- 0x00: touch disabled
- 0x01: touch enabled
- 0x02: touch permanent
- 0x03: touch cached
- 0x04: touch permanent, cached

1.3.6.1.4.1.41482.5.9

Octet String (1)

Form Factor
- 0x00: Unspecified
- 0x01: USB-A Keychain
- 0x02: USB-A Nano
- 0x03: USB-C Keychain
- 0x04: USB-C Nano
- 0x05: USB-C/Lightning Keychain

1.3.6.1.4.1.41482.5.10

Octet String (1)

FIPS Certified YubiKey

1.3.6.1.4.1.41482.5.11

Octet String (1)

CSPN Certified YubiKey

Note
Cardholder name, fingerprint, and generation date can be overwritten with the admin PIN (PW3). When verifying attestation statements, these fields should not be trusted. Always verify the public key, and regenerate the PGP fingerprint if needed.

Yubico CA

The pre-loaded attestation certificate is signed by a Yubico OPGP CA.

Note
If you have a YubiKey Preview device, the attestation certificate will instead be signed by our Yubico OPGP Preview CA.

Protocol Specification

OpenPGP Attestation is an extension to the OpenPGP application on ISO Smart Card Operating Systems specification. The new tags and instructions are reserved from version 3.4 of the spec. Their usage is defined here.

Attestation Key (Data Objects)

The Attestation Key (ATT key), an asymmetric keypair of any supported algorithm except curve25519, is added as a fourth key (in addition to the existing SIG, DEC, and AUT). Importing or generating an ATT key uses the same underlying commands as the other keys.

Import and generation commands specify which key to load via a Control Reference Template (CRT). Since the ATT key is a second signature key, it must be addressed by using the complex CRT format, which allows specifying a Key ID.

Attestation Key identifiers:

Identifier Value (hex)

Key ID

81

CRT

B6 03 84 01 81

New Data Objects tags for Attestation Key metadata:

Data Object Description

0xDA

Algorithm Attributes

0xDB

Key Fingerprint

0xDC

CA Fingerprint

0xDD

Key Generation Date

0xD9

User Interaction Flag (UIF)

Setting the attestation key requires the administration PIN (PW3).

Attestation Certificate (Data Object)

The Attestation Certificate is stored in a dedicated DO with tag 0xFC, accessible via standard PUT DATA and GET DATA instructions.

The maximum size of the certificate is 2048 bytes.

Generate Attestation (Instruction)

A new instruction is added to generate the Attestation Statement. Note that the class is 0x80, indicating that it is not an ISO interindustry standard instruction.

APDU Field Value(s)

CLA

0x80

INS

0xFB

P1

0x01 (SIG), 0x02 (DEC), 0x03 (AUT)

P2

0x00

Lc

0x00

Data

None

Le

0x00

There is no response data.

Upon successful completion (SW 0x9000), the Attestation Statement is written to the corresponding Cardholder Certificate slot. The Attestation Statement can be retrieved via the normal GET DATA instruction to DO tag 0x7F21.

Note that the order is non-standard in the cardholder certificate DO, so the mapping is as follows:

P1 Value DO 7F21 Index Key

1

2

SIG

2

1

DEC

3

0

AUT

Protocol Diagram

The diagram below illustrates a rough overview of what happens when the YubiKey Manager creates and fetches an Attestation Statement:

Attestation__3.png