As of today, Yubico will start shipping the YubiKey 5 Series with firmware 5.4. This new firmware release will enable easier integration with Credential Management System (CMS) solutions, secure remote provisioning of YubiKeys, and expanded methods for PIV management.
Key benefits of the YubiKey Firmware Update for the YubiKey 5 Series with 5.4 firmware include:
- Improved security for integration with CMS services by enabling secure remote provisioning of YubiKeys for CMS vendors through an encrypted transport protocol. Secure channel communication to any host system (server, laptop, desktop, tablet, etc.) enables transfer of data that is resistant to eavesdropping and tampering.
- YubiKey and YubiHSM2 now work together: With this YubiKey firmware update, it is now possible to use a YubiKey to authenticate and establish a session to the YubiHSM2.
Yubico has developed two new modules that have been added in this release which will have a significant impact for our customers who have a PKI infrastructure secured with YubiHSM2 and YubiKey.
Secure Channel Protocol ‘03’ (SCP03)
We are enhancing our ability to integrate with CMS vendors by enabling support for Secure Channel Protocol ‘03’ to securely establish a mutually authenticated and encrypted communication channel to the YubiKey. SCP03 is a protocol that relies on the Encrypt-then-MAC method, a way of transferring data that is resistant to overhearing and tampering. A secure channel is always recommended to securely connect and manage the PIV application on the YubiKey.
Secure channel allows services and client software to obtain information and provision YubiKey PIV credentials from a remote centralized location. YubiKeys can be locked in such a way that only the CMS vendor can unlock and program keys for their enterprise customers, ensuring greater trust as YubiKeys are deployed to their employees or partners remotely.
With this YubiKey firmware update, we also introduce YubiHSM Auth, a new YubiKey module that serves as a key storage for authenticating against a YubiHSM2 with a YubiKey instead of using a session password only. To fully leverage this functionality you will need the latest release of YubiHSM2 SDK, which is available for download here.
Yubico is always working to advance the functionality and security of our products, and we thank our users for their continued product feedback and support to drive technical improvements like the ones listed above.
To purchase a YubiKey with the most recent firmware, visit Yubico.com, request a Yubico sales consultation, or contact any of Yubico’s official channel partners. To learn more about which firmware version your devices have, please use the YubiKey Manager.