Although previous versions of the YubiKey (eg Neo and Neo-N) used an Open Source Java applet to handle OpenPGP signing, encryption and authentication, it is unclear from the yubico website / documentation if this is also true for the newer YubiKey 4.
1 Answers
No, the Yubikey 4 is not Open Source:
The implementation is not open source, that is correct. We have both internal and external review of our code to ensure that it is secure. It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well. The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code. It was interaction with the device itself which lead to it's discovery.
We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so. One reason is that on the YubiKey NEO, each applet runs in its own sandbox, isolated from the rest of the system and can be audited/reasoned about on its own. This is not the case on the YubiKey 4, where each part of the system interacts with several others. Another reason that ykneo-openpgp was implemented as an open source project (aside from being able to leverage an existing project) was that it was useful for others, as it can run on a variety of devices. Again, this is not the case for the implementation running on the YubiKey 4.
Although older devices such as the Yubikey NEO used an Open Source applet, the newer Yubikey 4 devices quietly switched to a proprietary, closed-source implementation.
- 1,548
- 1
- 12
- 25
-
2Since this answer was posted an official statement that explains the decision was posted on the YubiKey blog: https://www.yubico.com/2016/05/secure-hardware-vs-open-source/ – mschwaig Jul 16 '17 at 09:52