I want to store a secret on YubiKey and use it for disk encryption. It's crucial that it be PIN protected. There are a limited number of PIN tries, and after three attempts the YubiKey would be blocked (self-destructed).
All the solutions I have found (like this one) are based on a HMAC-challenge-response YubiKey application which calculates SHA1-HMAC from the password and mixes the hash to/with the password. It protects against brute-force attack but not against rubber-hose cryptanalysis (waterboarding, etc.).
The problem is HMAC-chal./resp. is not PIN protected, and it seems YubiKey can't store a PIN-protected secret directly.
I found and implemented two solutions based on PIV.
I generate a new RSA 2048-bit key on the secret slot, use the key to encrypt a random secret and store the encrypted secret in the PIV-slot as an object. (certificate is usually stored there).
I have constant encrypted data ("constant data" means actually hardcoded "const char * data = {....3,5,87... }"). I generate a new RSA 2048-bit key on the selected slot. To obtain the secret, I just decrypt the constant data. I could sign the data and use the signature as the secret, but YubiKey mixes some random data into the signature, so it's not deterministic and can't be used.
To make it more secure, I could even drop the public key, so even the public variables of the key become unknown.
I'm convinced (1) is as secure as YubiKey is, but I'm not sure about (2). I like (2) much more than (1) since it doesn't use the objects for something which they are not supposed to be used for.
Is it OK to use RSA this way? Has anybody thought about similar YubiKey usage?
