YubiKey and 4096 bit RSA support
Yesterday I received my YubiKey 4. I ordered it so I could safely store my 4096 bit code signing certificate. Turns out this is not possible. Despite YubiKey telling "YubiKey 4 now supports RSA keys up to 4096 bits!" in a blog post and in their product comparisson. What!?
Turns out the lack of support is not so much their fault:
Thank you for contacting Yubico Support. The NIST Specification for PIV specifies a maximum 2048 RSA, so our PIV applications do not currently support any greater sizes. If the PIV specifications change to support 4096 RSA, the PIV Tools will be updated accordingly. The YubiKey 4 hardware itself is capable of 4096 keys. No other middleware that supports the PIV specification supports 4096 keys either (unless you can point us to another application that does support this use case).
YubiKey should really update their product comparisson to reflect this. Right now it just says 4096 bit support without any warnings:
Still, how did this lack of 4096 bit support happen in the first place?
The latest NIST document on Personal Identity Verification is NIST SP 800-78-4. It turns out that support for 4096 bit keys was actually REMOVED from an earlier draft:
The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
What the ..? Why would you do that? And why keep it that way, even in 2017?
Now I'm basically punished for using a more secure key, not having the option for more secure key store.
Fortunately the YubiKey supports 2 cryptographic interfaces. The other one is the OpenPGP interface which does support 4096 bit RSA. So I can still use it for storing my 4096 bit GnuPG key, which is a nice improvement over my YubiKey 2 from a few years back which only supported 2048. Still... I'm rather stunned by the lack of 4096 support when I want to use it for Authenticode purposes.