YubiKey NEO Updates

July 18, 2014 3 minute read

UPDATE: YubiKeys with serial numbers 2624253 to 2624449 and 2624801 to 2625499 are also not configured with fixed card manager keys.

Our YubiKey NEO, is a JavaCard-based product. The NEO has a set of card manager keys that allows you to delete/add/update the software “applets” running on the NEO, through the Global Platform interface.

We launched the YubiKey NEO as a “Developer Edition”, and as such, the card manager keys were set to a single value to facilitate development.

For production use we don’t recommend this, since anything you can do is also something an attacker can do, thus potentially achieving a denial of service of your NEO by (for example) removing all applets on it. (Note that the card manager keys does not give anyone the ability to extract secrets, that’s by design never possible.) As the Yubico applets have now reached a reasonable level of maturity, we are proactively changing our processes around card manager keys. The YubiKey NEOs that have shipped from July 1st 2014, starting with serial number 3,000,000, are no longer configured with the fixed card manager keys.

What does this mean if you are an existing YubiKey NEO customer? If you are concerned with someone else modifying the software on your NEO we recommend that you change the card manager keys. Global Platform can be used to change the card manager keys.

Initially we targeted YubiKey NEO towards early adopters and developers; now the majority of our customers are moving to production deployment and require production devices. What does this mean if you want to develop applets for the YubiKey NEO? We are setting up a YubiKey NEO Developers program for you to order YubiKey NEO “Developer Edition” that come with the known card manager keys, so you can load and delete applets as you wish, and services for Yubico to load your applets onto production YubiKey NEO for your customers. We will announce the launch of the YubiKey NEO Developer program here and on our social media channels.

We are improving the way we set-up the OpenPGP applet on YubiKey NEO; from shipments made today, we now set the card serial number to be the same as the YubiKey laser etched serial number; that’s important if you have multiple YubiKey NEO. Secondly, we are shipping version 1.0.6 of the OpenPGP applet that works with GnuPG version 2.0.22+ and supports import of secret keys – for some informal hints see my personal blog post on GnuPG and NEO usage.

Share this article:

Recommended content

What is OpenPGP?

Learn More Using your YubiKey with OpenPGP Developer Resources What is PGP? YubiKey 5.2.3 Enhancements to OpenPGP 3.4 Support


5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the ...


YubiKey NEO OpenPGP Security Bug

Yubico recently learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. If you are not using OpenPGP, or have the OpenPGP applet version 1.0.10 or later, this vulnerability does not apply to you. The OpenPGP Card applet defect was inherited from the open-source software project “javacardopenpgp.” The ...


Does Key Size Really Matter in Cryptography?

One of the most interesting and useful aspects of the YubiKey NEO and NEO-n is that they can act as a smart card and come pre-loaded with a bunch of interesting applications, such as an implementation of OpenPGP Card. Many end-users like this functionality, but some question the key lengths. It’s an expected cryptographic question ...