YubiKeys with firmware version 5.3.0 and later support Secure Channel Protocol 03 (SCP03) for establishing secure communication channels. Starting with firmware version 5.7.2, they also support Secure Channel Protocol 11 (SCP11). For both protocols, secure communication with the YubiKey requires the secure channel to be authenticated using the appropriate certificate chain. Detailed information about the implementation specifics of these protocols can be found in Yubico’s technical documentation here.
In SCP11 mode, the certificate stored on the YubiKey should be validated against the full certificate chain. All genuine YubiKeys with firmware version 5.7.4 or later are issued with Secure Domain certificates. These certificates are linked to the Root Certificate Authority (Root CA) through intermediate certificates, ensuring the integrity and trustworthiness of the YubiKey.
5.7.4+ |
|