Woho so our friends at Yubico has released a new version of their .NET SDK. It is now on 1.11, this means support for RSA3072 and RS4096 algorithms for PIV. So it time to update my powershell module for Yubikey . The latest version is available from Powershell Galleries as usual.
New stuff (if your Yubikey is 5.7 or later)
RSA3072 & RSA4096 algorithms
We can create an RSA3072 PIV Key
New-YubikeyPIVKey -Slot "PIV Authentication" -Algorithm Rsa3072 -PinPolicy Default -TouchPolicy Default
Move a key (and if you want a certifiate between slots)
Lets you move a key instead of overwriting it or removing it.
Move-YubikeyPIV -SourceSlot "PIV Authentication" -DestinationSlot 0x9c -MigrateCertificate
Just get rid of a key
Before you needed to overwrite keys, now you can just delete it.
Remove-YubikeyPIV -Slot "PIV Authentication"
Speed
I noticed that the speed when creating larger keys is really… noticible. Below is a table of the time in seconds for creating keys. I did 20 tries per Algorithm and Yubikey version.
Version | Algorithm | Average | Median | Minimum | Maximum |
---|---|---|---|---|---|
5.4.3 | Rsa1024 | 1.1 | 1.4 | 3.0 | 22.7 |
5.4.3 | Rsa2048 | 9.2 | 7.7 | 1.3 | 23.7 |
5.4.3 | EccP256 | 0.4 | 0.4 | 0.3 | 0.4 |
5.4.3 | EccP384 | 0.5 | 0.5 | 0.5 | 0.5 |
5.7 | Rsa1024 | 0.7 | 1.1 | 0.4 | 21.4 |
5.7 | Rsa2048 | 5.9 | 9.8 | 1.95 | 12.9 |
5.7 | Rsa3072 | 29.4 | 26.6 | 6.1 | 66.0 |
5.7 | Rsa4096 | 57.2 | 22.4 | 12.2 | 232.7 |