Skip to content

Instantly share code, notes, and snippets.

@jnaulty
Created December 26, 2019 17:37
Show Gist options
  • Save jnaulty/75d06a067993663b5121b17af8675996 to your computer and use it in GitHub Desktop.
Save jnaulty/75d06a067993663b5121b17af8675996 to your computer and use it in GitHub Desktop.
Yubikey Attestation

Verifying YubiKey Authenticity

How do I know the YubiKey in front of me is actually a YubiKey from Yubico, and not from EvilCo?

People have been here before, and Yubico has helped them support page

They tell you to go to the verification page: Verification Page.

Visual Inspection

Does it look like someone opened it up and put in a MITM microcontroller? If so, don't use it.

OTP Verification

USB Way

You can use the official Yubico OTP Verification page to verify your device (although this does require you to insert an unverified HID into your computer).

NFC Way

For the YubiKeys with NFC, there's a slightly easier solution that works 'in the box' so to speak.

You can scan the NFC with your phone through the sealed package and it will generate an NDEF payload containing an unused AES OTP token at the end of a verification url.

In other words, you scan one and it takes you to a yubico website saying it is legit, which is a decent verification.

WebAuthN Verification

You can use the Yubico WebAuthN to verify your YubiKey

Goto the WebAuthN Yubico Demo Site and go through the flow of registering your device.

You should see a "Registration Completed!" page and something like this image which shows that Yubico Verified your device. Don't be afraid to be curious and click on the "Show Technical Details" dropdown menu to learn more about what's happening 'under the covers'. image

PIV Attestation

Each YubiKey comes "pre-loaded from factory with a key and cert signed by Yubico"source

You can use this to attest that the key was generated in a Yubico factory.

For a detailed guide on the inner-workings of this attestation, review this blog post created from the magic of CCCAmp 2019.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment