From b59107d413a65746a57025ba1d204b474720a8b4 Mon Sep 17 00:00:00 2001 From: Jaeha Choi Date: Mon, 6 Sep 2021 20:29:32 -0700 Subject: [PATCH] Add note about KDF --- README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 124e4ec..5fcfbe5 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ If you have a comment or suggestion, please open an [Issue](https://github.com/d - [Export public keys](#export-public-keys) - [Configure Smartcard](#configure-smartcard) * [Change PIN](#change-pin) + * [Enable KDF](#enable-kdf) * [Set information](#set-information) - [Transfer keys](#transfer-keys) * [Signing](#signing-1) @@ -1274,6 +1275,7 @@ Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 +KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] @@ -1286,6 +1288,16 @@ General key info..: [none] Use the [YubiKey Manager](https://developers.yubico.com/yubikey-manager) application (note, this not the similarly named older YubiKey NEO Manager) to enable CCID functionality. +## Enable KDF +Key Derived Function (KDF) enables YubiKey to store the hash of PIN, preventing the PIN from being passed as plain text. + +```console +gpg/card> admin +Admin commands are allowed + +gpg/card> kdf-setup +``` + ## Change PIN The [GPG interface](https://developers.yubico.com/PGP/) is separate from other modules on a Yubikey such as the [PIV interface](https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html). The GPG interface has its own *PIN*, *Admin PIN*, and *Reset Code* - these should be changed from default values! @@ -1305,9 +1317,6 @@ Values are valid up to 127 ASCII characters and must be at least 6 (*PIN*) or 8 To update the GPG PINs on the Yubikey: ```console -gpg/card> admin -Admin commands are allowed - gpg/card> passwd gpg: OpenPGP card no. D2760001240102010006055532110000 detected @@ -1376,6 +1385,7 @@ Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 +KDF setting ......: on Signature key ....: [none] Encryption key....: [none] Authentication key: [none] @@ -1681,6 +1691,7 @@ Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 +KDF setting ......: on Signature key ....: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15 created ....: 2016-05-24 23:22:01 Encryption key....: 6F26 6F46 845B BEB8 BDF3 7E9B 5912 A795 E90D D2CF