docs: re YubiKey Manager and PIN bruteforcing

[dagheyman]

README states:

yubikey-agent -setup generates a random Management Key and stores it in PIN-protected metadata. Note that this is a different scheme from the ykman one, which enables PIN bruteforcing.

I think this is referring to an older scheme used by the YubiKey PIV Manager.

ykman can actually store the management key in a pin protected part of the device, using the --protect flag. I have not verified it yet, but it looks like yubikey-agent and ykman should be compatible in this regard.

[joneskoo]

@dagheyman The README is correct and refers to this in the yubikey-agent -setup:

yubikey-agent/setup.go

Lines 102 to 106 in 300b62a

	var key [24]byte
	if _, err := rand.Read(key[:]); err != nil {
	log.Fatal(err)
	}
	if err := yk.SetManagementKey(piv.DefaultManagementKey, key); err != nil {

The management key is discarded by yubikey-agent. Are you suggesting yubikey-agent should not destroy the management key and instead use the PIN protection for keeping the management key?

[joneskoo]

Or maybe it is my misunderstanding and the management key can actually be used via PIN? This should be the implementation

https://github.com/go-piv/piv-go/blob/2184bb6b48d35daef927bc6e5a8330d3e2b877fd/piv/piv.go#L468-L483

[FiloSottile]

ykman can actually store the management key in a pin protected part of the device, using the --protect flag. I have not verified it yet, but it looks like yubikey-agent and ykman should be compatible in this regard.

All the ykman docs I could find, and a cursory source review, seemed to suggest the management key is derived from the PIN with PBKDF2. If they moved to PIN-protected metadata, could you point me to any relevant docs or code?

[dagheyman]

Sure, the help page for ykman piv change-management key mentions the --protect option.

$ ykman piv change-management-key -h
Usage: ykman piv change-management-key [OPTIONS]

  Change the management key.

  Management functionality is guarded by a 24 byte management key. This key is required for administrative tasks, such as generating key pairs. A
  random key may be generated and stored on the YubiKey, protected by PIN.

Options:
  -P, --pin TEXT                 PIN code.
  -t, --touch                    Require touch on YubiKey when prompted for management key.
  -n, --new-management-key TEXT  A new management key.
  -m, --management-key TEXT      Current management key.
  -p, --protect                  Store new management key on your YubiKey, protected by PIN. A random key will be used if no key is provided.
  -g, --generate                 Generate a random management key. Implied by --protect unless --new-management-key is also given. Conflicts with
                                 --new-management-key.

  -f, --force                    Confirm the action without prompting.
  -h, --help                     Show this message and exit.

Relevant code is here, what is called PIVMAN_PROTECTED_DATA is the PIV slot for printed information, which I believe the go library uses as well if I'm not reading it wrong.

I also tried running the yubikey-agent -setup and then ykman piv info, but it seems like ykman doesn't know that the management key is stored on the device, because it uses an additional always readable flag on the device to keep track of that.

Anyway, I don't see compatibility here as super important, I just wanted to update the docs to drop the note about PIN bruteforcing :) Will create a PR with that proposed change.

[FiloSottile]

Oh, awesome, glad to hear they dropped the old scheme!