YubiHSM 2 Product Overview

The YubiHSM 2 device

The YubiHSM 2 is a USB-based, multi-purpose cryptographic device for servers. Its diminutive physical size is ideal for installation directly into internal or external server ports.

Specifications

Cryptographic interfaces

  • PKCS#11 API version 2.40

  • Yubico Key Storage Provider (KSP) to access Microsoft CNG

  • Full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python)

RSA

  • 2048, 3072, and 4096 bit keys (with e=65537)

  • Signing using PKCS#1v1.5 and PSS

  • Decryption using PKCS#1v1.5 and OAEP

Elliptic Curve Cryptography (ECC)

  • Curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, curve25519

  • Signing: ECDSA (all except curve25519), EdDSA (curve25519 only)

  • Decryption: ECDH (all except curve25519)

Hashing functions

  • SHA-1, SHA-256, SHA-384, SHA-512

Key wrap

  • Import and export using NIST-approved AES-CCM Wrap with 128, 196, and 256 bit keys

Random numbers

  • On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90 AES-256 CTR_DRBG

Attestation

  • Asymmetric key pairs generated on-device may be attested using a device-specific Yubico attestation key and certificate, or using your own keys and certificates imported into the HSM.

Performance

Performance varies depending on usage. The accompanying Software Development Kit includes performance tools that can be used for additional measurements. Example metrics from an otherwise unoccupied YubiHSM 2:

  • RSA-2048-PKCS1-SHA256: ~139ms

  • RSA-3072-PKCS1-SHA384: ~504ms

  • RSA-4096-PKCS1-SHA512: ~852ms

  • ECDSA-P256-SHA256: ~73ms

  • ECDSA-P384-SHA384: ~120ms

  • ECDSA-P521-SHA512: ~210ms

  • EdDSA-25519-32Bytes: ~105ms

  • EdDSA-25519-64Bytes: ~121ms

  • EdDSA-25519-128Bytes: ~137ms

  • EdDSA-25519-256Bytes: ~168ms

  • EdDSA-25519-512Bytes: ~229ms

  • EdDSA-25519-1024Bytes: ~353ms

  • AES-(128|192|256)-CCM-Wrap: ~10ms

  • HMAC-SHA-(1|256): ~4ms

  • HMAC-SHA-(384|512): ~243ms

Storage capacity

  • All data stored as objects. 256 object slots, 128KB max total

  • Stores up to 127 rsa2048 or 93 rsa3072 or 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present

  • Object Types: Authentication keys (used to establish sessions); Asymmetric private keys; Opaque binary data objects (e.g. x509 certificates); Wrap keys; HMAC keys

Management

  • Mutual authentication and secure channel between applications and the YubiHSM 2

  • M of N unwrap key restore via YubiHSM Setup Tool

Physical Characteristics

  • Form factor: nano designed for confined spaces such as internal USB ports in servers

  • Dimensions: 12mm x 13mm x 3.1mm

  • Weight: 1g

Host interface

  • Universal Serial Bus (USB) 1.x Full Speed (12Mbit/s) Peripheral with bulk interface

What’s in the SDK

Todo: For details, link to component reference for each of the components

The SDK contains tools to interface with YubiHSM 2. For more information about each of the main components, please see the component reference section.

Resource Description

bin/libeay32.dll

Pre-built OpenSSL (Windows only)

bin/yubihsm-setup

Deployment tool for YubiHSM 2

bin/yhwrap

A tool to create wrapped importable objects offline

bin/yubihsm-connector

The connector, a tool for providing a common interface to the device

bin/yubihsm-shell

The shell, a REPL-style tool for interacting with YubiHSM 2 (and the connector)

include/pkcs11/pkcs11.h

Common and standard PKCS#11 functions and constants definitions

include/pkcs11/pkcs11y.h

Yubico-specific PKCS#11 functions and constants definitions

include/yubihsm.h

Library functions and constants definitions

lib/libyubihsm.{dylib,so} or bin/libyubihsm.dll

Library binary to interact with YubiHSM 2

lib/yubihsm_pkcs11.{dylib,so} or bin/yubihsm_pkcs11.dll

PKCS#11 module to interact with YubiHSM 2

python-noarch/*

Python implementation of the library

yubihsm-cngprovider-windows-amd64.msi

Installer for CNG/KSP for Windows ADCS (Windows only)

yubihsm-connector-windows-amd64.msi

Installer for the connector (Windows only)

Getting help

Documentation aiding in deploying and using the YubiHSM 2 is continuously updated on https://developers.yubico.com/YubiHSM2 (this site). Additional support resources are available in the Yubico Knowledge Base. Also, Yubico hosts forums where you may interact with the community of fellow Yubico customers.

Important
If you think you may have discovered a flaw in the product, Yubico welcomes your feedback. To report an issue that you suspect might be a bug, please submit a support request and provide as much detail as you can.