FIDO2 PCSC specifics? #691

1Dragoon · 2023-04-16T23:25:16Z

1Dragoon
Apr 16, 2023

I'm following the documentation here:

https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html#iso7816-iso14443-and-near-field-communication-nfc

For another fido2 key I have (Cryptnox FIDO2 card) this APDU appears to work:

0x00, 0xA4, 0x04, 0x00, 0x05, 0xa0, 0x00, 0x00, 0x06, 0x47

However on the yubikey it does not. Here are the respective responses I get:

Reader: HID Global OMNIKEY 5022 Smart Card Reader 0
Reply: U2F_V2
Status: [90, 00]: No Error = (short)
Reader: Yubico YubiKey OTP+FIDO+CCID 0
Reply: [6a, 82]
Status: [6a, 82]: File not found

The FIDO alliance specs say that this is the correct way to detect a FIDO2 device, but given that doesn't work for yubikeys, is there another way?

Also, I don't understand the documentation on the yubico site. Everything I send to it from there responds with invalid INS. I understand there's the inner APDU for FIDO2 specifics, but even trying the outer one mentioned doesn't appear to work.

Answered by LDVG

Apr 17, 2023

Hi,

The YubiKey will only return a successful response to a ISO7816/ISO14443 FIDO2 applet selection over NFC.

For another fido2 key I have (Cryptnox FIDO2 card) this APDU appears to work:
0x00, 0xA4, 0x04, 0x00, 0x05, 0xa0, 0x00, 0x00, 0x06, 0x47

Per CTAP 2.1 § 11.3.3. Applet selection, the complete AID is

Field	Value
RID	0xA000000647
PIX	0x2F0001

Communicating with a YubiKey 5 over NFC using a HID Omnikey reader:

$ echo 00 A4 04 00 08 A0 00 00 06 47 2F 00 01 | scriptor
No reader given: using HID Global OMNIKEY 5022 Smart Card Reader 
Using T=1 protocol
Reading commands from STDIN
> 00 A4 04 00 08 A0 00 00 06 47 2F 00 01
< 55 32 46 5F 56 32 90 00 : Normal processing.

The …

View full answer

LDVG · 2023-04-17T06:39:46Z

LDVG
Apr 17, 2023
Maintainer

Hi,

The YubiKey will only return a successful response to a ISO7816/ISO14443 FIDO2 applet selection over NFC.

For another fido2 key I have (Cryptnox FIDO2 card) this APDU appears to work:
0x00, 0xA4, 0x04, 0x00, 0x05, 0xa0, 0x00, 0x00, 0x06, 0x47

Per CTAP 2.1 § 11.3.3. Applet selection, the complete AID is

Field	Value
RID	0xA000000647
PIX	0x2F0001

Communicating with a YubiKey 5 over NFC using a HID Omnikey reader:

$ echo 00 A4 04 00 08 A0 00 00 06 47 2F 00 01 | scriptor
No reader given: using HID Global OMNIKEY 5022 Smart Card Reader 
Using T=1 protocol
Reading commands from STDIN
> 00 A4 04 00 08 A0 00 00 06 47 2F 00 01
< 55 32 46 5F 56 32 90 00 : Normal processing.

The FIDO alliance specs say that this is the correct way to detect a FIDO2 device, but given that doesn't work for yubikeys, is there another way?

Over NFC, the above is correct.

Over USB, the correct way would be to examine the USB HID report descriptor(s), please see CTAP 2.1 § 11.2.8.2. HID report descriptor and device discovery.

1 reply

1Dragoon Apr 17, 2023
Author

Ooh thanks for that link, it's way better than what I've found so far. Interestingly, the first document suggests P2 should be 0x0C. That works for other fido2 devices but not yubikeys. Yubikey will work when P2 is 0x00. I wonder where that discrepancy is from?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

FIDO2 PCSC specifics? #691

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

FIDO2 PCSC specifics? #691

Uh oh!

1Dragoon Apr 16, 2023

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

LDVG Apr 17, 2023 Maintainer

Uh oh!

Uh oh!

1Dragoon Apr 17, 2023 Author

1Dragoon
Apr 16, 2023

Replies: 1 comment 1 reply

LDVG
Apr 17, 2023
Maintainer

1Dragoon Apr 17, 2023
Author