Terms
This is a list of common terms you may see in this guide, or in other guides that explain Yubikeys.
❊ Index
❊ B
❊ C
A certificate is a "fancy" public key, which is related to a private key. You can do the same thing with a certificate as you can do with a public key. Certificates are a container which holds metadata information about the holder/owner and public key. It is often called the public certificate, because it contains only public key and public information.
Command-line interpreter (CLI) uses a command-line interface to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and providing information to them as to what actions they are to perform. The two common CLIs associated to configuring your Yubikey are known as ykman and gpg.
Developed by the FIDO Alliance, the Client to Authenticator Protocol enables communication between an external authenticator (i.e. mobile phones, connected devices) and another client (e.g. browser) or platform (re: operating system).
❊ E
Encryption -> RSA
Asymmetric cryptography Uses a key to encrypt data and then uses a different key for decryption. These are called a public key and a private key. The public key can be used to encrypt data and would require a private key for decryption.
Encryption -> AES
Symmetric cryptography Uses same key for both encryption and decryption.
Encryption -> SHA
Hash algorithm One way encryption. Cannot be decrypted.
❊ F
The FIDO Alliance is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. Yubico has pioneered the development of authentication standards that the FIDO Alliance has adopted.
The Client to Authenticator Protocol (CTAP) enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer). The CTAP specification refers to two protocol versions, the CTAP1/U2F protocol and the CTAP2 protocol.
An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. A YubiKey 5 Series security key can support both CTAP 1 and CTAP 2 which means it can support both U2F and FIDO2 and deliver strong single factor (passwordless), strong two-factor and strong multi-factor authentication.
U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO U2F-certified device, such as a YubiKey, has gone through a full FIDO certification program and successfully meets all requirements.
FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.
FIDO’s certification programs are a critical element in ensuring an interoperable ecosystem of products and services that organizations can leverage to deploy FIDO Authentication solutions worldwide. FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO2-certified device, such as a YubiKey 5 Series security key, has gone through a full FIDO certification program and successfully meets all requirements
The Federal Information Processing Standard Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. It is published by the U.S. National Institute of Standards and Technologies (NIST) and is a security standard recognized by the U.S. and Canadian governments, as well as the European Union. It is often a specification that a security solution needs to meet for some of the more security-conscious organizations globally.
To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories, this process can take weeks. The FIPS 140-2 validation process examines the cryptographic modules. Level 1 examines the algorithms used in the cryptographic component of the software. Levels 2-4 build on the software component by adding different layers of physical security. The YubiKey FIPS Series meets Level 3 requirements (AAL3) which means that the code is within a tamper-proof container so that keys used in the cryptography are destroyed if the device is physically compromised.
❊ K
Keypair
A combination of a public key that is used to encrypt data and a private key that is used to decrypt data. See -> ( private key, public key, certificate )
❊ M
❊ P
PIN
A 6-8 character passcode that will be requested by your Yubikey when you perform certain actions. A Yubikey 5 has a total of 5 PINs associated to it that you can change. 1x FIDO2 PIN 2x PIV PINs 2x GPG PINs
PIV
An interface / technology included on the Yubikey 5.
A Personal Identity Verification (PIV) credential is a US Federal governmentwide credential used to access Federally controlled facilities and information systems at the appropriate security level.
PIV User PIN
User PIN for the PIV interface fo your Yubikey. The PIN is used during normal operation to authorize an action such as creating a digital signature for any of the loaded certificates. Entering an incorrect PIN three times consecutively will cause the PIN to become blocked, rendering the PIV features unusable. Default PIN: 123456
PIV Admin PUK
Admin PIN for the PIV interface, known as the admin PUK (PIN Unblocking Key). PUK is used to reset the PIV PIN if ever lost or blocked after the max number of incorrect attempts. Setting a PUK is optional. If you use your PIN as the Management Key, the PUK is disabled for technical reasons.
PIV Management Key
An administrative key associated to the PIV interface which is required in order to perform administrative tasks such as generating new PIV keys / certificates, importing, as well as exporting.
Can be changed via the ykman command-line interface:
ykman piv access change-management-key
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. See -> ( OpenPGP, GPG )
Private Key
A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt data. Private keys are generated using the same algorithms that create public keys to create strong keys that are bonded mathematically. A private key is generally a lengthy, non-guessable sequence of bits created randomly or pseudo-randomly. The complexity and length of a private key define how easy it is for an attacker to carry out a bruteforce attack, in which they test out several keys until they find the appropriate one.
Private keys can be used for both encryption and decryption, while Public keys are used only for the purpose of encrypting the sensitive data.
Private keys should only be shared with the key's generator or parties authorized to decrypt the data. Typically in the private sector where an individual person generates a public/private key; they are not to share the private key with anyone. See -> ( public key, certificate, keypair )
Public Key
Public key encryption, or public key cryptography, is a method of encrypting data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. A hardware security key offers the strongest protection for private keys as it is stored in the secure element and cannot be exfiltrated, or gained via a remote attack.
❊ S
Signtool
❊ X
XCA
❊ Y
Ykman
Yubikey
A physical security device developed by the company Yubico. This device contains several bundled interfaces / technologies such as FIDO2, OATH, PIV, GPG, Webauthn, etc which can enable strong two-factor, multi-factor and password less authentication.
Yubikey Authenticator
Yubikey Manager
Software provided by Yubico to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems. Includes ykman command-line interface.
Yubikey Minidrivers
Last updated