yubikey attestation

Recently I was wondering how I should easily prove that my yubikey is really mine in a programmatic way. First I started with preparing my own cert and putting it in the selected yubikey slot. After a while I found attestation feature which fit the best for my needs. Every yubikey (>=4.3) comes with a special slot called f9 it is filled with a key and cert signed by the yubico Root CA. This key can be used to is special action called attest result of this action is prepared a new cert signed by your yubikey. So when you have a list of yubikey certificates, you can verify that this attest certificate comes from a particular device of yubico manufactor, because each attest certificate comes with an extension that contains the serial number and it’s proven by yubico.

In the following example I tried to artificially split application on client and server side. Server has database of yubikey serial numbers with attached its attestation certificate, client generates attest certificate and send it to server. All the communication is done via pipes:

$ ./client | ./server
2021/12/12 07:00:36 verified device with serial number: 1234567

This only proves that you have the “right” device which you can further rely on. Attest action is not protected by PIN, key and cert in slot f9 are not unique, they are the same for part of devices, but you can upload your own. So it cannot be used to authentication instead use a dedicated authentication slot in your yubikey device.

More info about attestation:

https://developers.yubico.com/PIV/Introduction/PIV_attestation.html https://developers.yubico.com/yubico-piv-tool/Attestation.html