Accessing administrative functions

PIV provides two different levels of access. One is the end-user (cardholder) level, which is protected by a PIN. This level allows normal day-to-day usage of the PIV functionality. The second is an administrator level, which is protected by a management key. This level allows provisioning of credentials.

PIN/PUK

End-user functionality is guarded by a PIN, which needs to be provided by the user to perform private key operations. The PIN can be up to 8 characters long, and supports any type of alphanumeric characters. If the PIN is entered incorrectly 3 times consecutively, the PIN will be blocked and unable to be used. If the PIN is lost or blocked it can be reset using a PUK. The PUK has the same restrictions as the PIN. If both the PIN and the PUK have been blocked they can be reset using a specific command. This will reset the PIN, PUK and Management Key to their default values, as well as delete any stored certificates and keys. The default values for the PIN and PUK are 123456 and 12345678, respectively.

Management Key

Administrative/Management functionality is guarded by a 24 byte management key. This key is required for administrative tasks, such as generating/importing keys and certificate into the PIV slots. The default value of the Management Key for the YubiKey is:

010203040506070801020304050607080102030405060708

Access Control Matrix

The table below contains a list of possible operations and their requirements in terms of Management key (MGM), PIN and PUK.

Action Requires MGM Requires PIN Requires PUK Notes

Generate key pair

x

Change MGM

x

Requires a new MGM

Change retry counters

x

x

Yubico extension. Resets PIN and PUK to defaults

Import private key

x

Import certificate

x

Move key

x

Delete key

x

Set CHUID

x

Reset card

Requires both PIN and PUK to be blocked

Verify PIN

x

Sign data

x

Decrypt data

x

Change PIN

x

Requires a new PIN

Change PUK

x

Requires a new PUK

Reset PIN (unblock)

x

Requires a new PIN