+971 4 7017 260 info@yubikey.me

YubiHSM 2

Version 2.1

  • New Feature: USB Direct Support
  • General-purpose hardware security module
  • Supports asymmetric cryptography
  • Works with Windows, Linux and Mac
  • USB-A interface

In stock

SKU: YHSM2-TK Category:

Description

YubiHSM 2 is a hardware module that provides excellent protection against phishing and malware attacks for the root keys of certificate authorities on servers. Being economical and affordable, it can be easily implemented in any enterprise. This module provides a high level of security for organizations working with the Microsoft Active Directory certification service, providing a confident approach to the generation, storage and distribution of digital keys. Its ergonomic “nano” form factor fuully fits inside the USB port, which eliminates the need for additional, bulky equipment, and allows you to flexibly transfer and backup keys offline.

YubiHSM 2 features are available through Yubico’s Key Storage Provider (KSP), for PKCS # 11 industry standard, or Microsoft CNG, or through native support in Windows, Linux, and macOS libraries.

YubiHSM 2 can be used as a comprehensive toolkit for a wide range of open source and commercial applications. The most widely used for hardware generation and verification of digital signatures.


Usage

Enhances Cryptographic Key Security
YubiHSM 2 provides robust methods for generating, storing and distributing digital keys. Key protection is performed in secure equipment based on a chip, separately from operations conducted on the server. Mostly used to protect root keys of certification authorities. Features of YubiHSM 2 include: generation, recording, signature, decryption, hashing and key packaging.

Conducts Hardware Cryptographic Operations
YubiHSM 2 can be used as a comprehensive toolkit for small operations, combined with a huge set of open and commercial applications, while covering many products and services. Most often used for hardware generation and verification of signatures.

Protects Microsoft Active Directory Certificates
YubiHSM 2 can provide hardware keys for public key infrastructure based on Microsoft products. Implementing YubiHSM 2 in the Microsoft Active Directory Certificate Services protects not only the root keys of certification authorities, but also all the signing and verification services that use them.

  • Secure Operations and Key Storage
  • Advanced cryptographic capabilities: RSA, ECC, ECDSA (ed25519), SHA-2, AES
  • Secure Session between HSM and Application
  • Role-based access control for key usage and distribution
  • 16 simultaneous connections
  • Ability to provide network access
  • Remote control
  • Unique “Nano” form factor, low power consumption
  • Packing keys using a constant weight code (M of N), res. copy and restore
  • Interface based on YubiHSM KSP, PKCS # 11, and native libraries
  • Autopsy audit

Capabilities

Secure Operations and Key Storage

Create, import and store keys, then conduct cryptographic operations using HSM equipment to prevent theft of keys during operation or inaction. This provides protection against logical attacks on the server, such as zero-day vulnerability or malware, as well as the consequences of physical theft of the server or its hard disk.

Advanced Cryptographic Features

Advanced Cryptographic Features YubiHSM 2 supports hashing, key packaging, asymmetric signature and decryption, including extended signature, with ed25519. Certification is available for asymmetric base pairs generated on the device.

Secure Session between HSM and Application

A mutually authorized tunnel, with integrity and confidentiality protection, protects the integrity and confidentiality transferred between the HSM and the applications.

Role-based access control for key usage and distribution

All cryptographic keys and other objects within the HSM belong to one or more security domains. Access rights are assigned to each authentication key, at the time of creation, which allows to a certain set of cryptographic or administrative operations to be performed relative to the security domain. Administrators assign rights to the keys based on their intended use, for example, an event monitoring application requires the ability to read the audit log inside the HSM, or the Registration Center needs to sign digital certificates for end users, or the security domain administrator should create or delete cryptographic keys.

16 simultaneous connections

Many applications can establish communication sessions with YubiHSM for cryptographic operations. Sessions can be stopped automatically after inactivity, or extended to improve performance by eliminating the time it takes to create a session.

Ability to provide network access

To increase deployment flexibility, network access to YubiHSM 2 can be provided to applications located on other servers. This can be especially convenient when there are many virtual machines hosted on the same physical server.

Remote control

Easily manage many YubiHSM modules involved remotely, within the whole enterprise – eliminate the difficulties associated with the call of staff and travel costs.

Unique “Nano” form factor, low power consumption

Unique Nano Form Factor, Low Power Consumption The form factor developed by Yubico “Nano” allows the security module to be located completely inside the USB-A port, thus ensuring compactness; without unnecessary details that protrude out the back of the server or front chassis. Consumes a minimum of power – max. 30 mA, which helps save on energy costs.

Packing keys using a constant weight code (M of N), res. copy and restore

Backing up and enabling cryptographic keys on multiple security modules is critical to the enterprise security architecture; it’s risky to provide these opportunities to only one person. YubiHSM supports the installation of M rules from N for the packaging key used to export the keys for further recovery or relocation, so several administrators are required to import and decrypt the key so that it can be used on additional security modules. For example, an enterprise: the Active Directory Certificate Authority private root key can be packaged for 7 administrators (M = 7), and at least 4 of them (N = 4) are required to import and unpack (decrypt) the key on the new security module.

Interface based on YubiHSM KSP, PKCS # 11, and native libraries

Cryptographic applications can control YubiHSM through the Yubico Key Storage Provider (KSP) for Microsoft CNG or industry standard PKCS # 11. Native libraries for direct access to device capabilities are available for Windows, Linux, and macOS.

Autopsy audit

Autopsy audit Inside YubiHSM, a log of all cryptographic and administrative operations that are carried out on the device is stored, and this log can be exported for further monitoring and reporting. Each event (row) in the log is associated with a hash with the previous row and is signed, therefore, this allows the detection of deletion or change of events.

USB support

New feature: YubiHSM 2 can work with the USB hardware layer directly, without the need for an intermediate HTTP mechanism. This feature allows developers to simplify the process of developing solutions for virtualized environments.

0/5 (0 Reviews)

Additional information

Weight 0.010 kg
Dimensions 10 × 10 × 3 cm
Количество

1 ключ

Тип упаковки

Индивидуальная упаковка

Supports operating systems

Windows, Linux, macOS
Operating System Version Architecture
Linux CentOS 6 CentOS 7 Debian 8 Debian 9 Fedora 25 Ubuntu 1404 Ubuntu 1604 amd64
Windows Windows 10 Windows Server 2012 Windows Server 2016 amd64
macOS 10.12 Sierra 10.13 High Series amd64

Cryptographic Interfaces (APIs)

  • Microsoft CNG (KSP)
  • PKCS#11 (Windows, Linux, macOS)
  • Native YubiHSM Core Libraries (C, python)

Cryptographic capabilities

Hashing (used with HMAC and asymmetric signatures)

  • SHA-1, SHA-256, SHA-384, SHA-512

RSA

  • 2048, 3072, and 4096-bit keys
  • Signing using PKCS # 1v1.5 and PSS
  • Decryption using PKCS # 1v1.5 and OAEP

Elliptic curve cryptography (ECC)

  • Curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, curve25519
  • Signing: ECDSA (all exept curve25519), EdDSA ( curve25519 only)
  • Decryption: ECDH (all except curve25519)

Key wrap

  • Import and export using NIST AES-CCM Wrap at 128, 196, and 256 bits

Random numbers

  • On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90 AES 256 CTR_DRBG

Attestation

  • Asymmetric key pairs generated on-device may be attested using a factory certified attestation key and certificate, or using your own key and certificate imported into the HSM

Performance

Performance varies depending on usage Example metrics from an otherwise unoccupied YubiHSM 2:
  • RSA-2048-PKCS1-SHA256: ~139ms avg
  • RSA-3072-PKCS1-SHA384: ~504ms avg
  • RSA-4096-PKCS1-SHA512: ~852ms avg
  • ECDSA-P256-SHA256: ~73ms avg
  • ECDSA-P384-SHA384: ~120ms avg
  • ECDSA-P521-SHA512: ~210ms avg
  • EdDSA-25519-32 Byte: ~105ms avg
  • EdDSA-25519-64 Byte: ~121ms avg
  • EdDSA-25519-128 Byte: ~137ms avg
  • EdDSA-25519-256 Byte: ~168ms avg
  • EdDSA-25519-512 Byte: ~229ms avg
  • EdDSA-25519-1024 Byte: ~353ms avg
  • AES-(128|192|256)-CCM-Wrap: ~10ms avg
  • HMAC-SHA-(1|256): ~4ms avg
  • HMAC-SHA-(384|512): ~243ms avg

Storage capacity

  • All data stored as objects. 256 object slots 128KB (base 10) max total
  • Stores up to 127 rsa2048, 93 rsa3072, 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present
  • Object types: Authentication keys (used to establish sessions); asymmetric private keys; opaque binary data objects, e.g. x509 certs; wrap keys; HMAC keys

Management

  • Mutual authentication and secure channel between applications and HSM
  • M of N unwrap key restore via YubiHSM Setup Tool

Software development kit (SDK)

SDK for YubiHSM 2 includes:
  • Library YubiHSM Core (libyubihsm) for C, Python
  • YubiHSM Shell (command line configuration)
  • PKCS#11 module
  • YubiKey Key Storage Provider (KSP) for Windows
  • YubiHSM Connector
  • YubiHSM Setup Tool
  • Code Signing Example

Host interface

  • (USB) 1.x Full Speed (12Mbit/s) Peripheral with bulk interface

Physical Characteristics

  • Form factor: nano designed for confined spaces such as internal USB ports in servers
  • Dimensions: 12mm x 13mm x 3.1mm
  • Weight: 1g
  • Current requirements: 20 mA avg, 30 mA max.
  • USB-A

Environmental Compliance

  • FCC
  • CE
  • WEEE
  • ROHS
  1. Select a service to enter, enter your username and password
  2. After prompted, insert the YubiKey 5 Nano into the USB port
  3. Log in to your account without too much effort, just by touching the gold sensor contacts on the key
How to use YubiKey:
Check yubikey.me/start for instructions on setting up your YubiKey 5 Nano keys to work with various devices and applications. The steps required to configure your YubiKey 5 Nano may vary, depending on the service you select.