Yubico Secure Channel Technical Description

Introduction to Yubico Secure Channel

Yubico has implemented a subset of the (GlobalPlatform Secure Channel Protocol 03) Secure channel specification: specifically, only the most secure implementation including command and response message authentication code (MAC) and encryption.

At the highest level, implementing a secure channel consists of providing overhearing and tampering resistance to information being sent between an external service, like a Credential Management Solution (CMS) and a smart card. Overhearing resistance is accomplished by the AES encryption of all commands being sent and received by use of a unique, private symmetric AES key. Tamper resistance is included by sending a securely encrypted MAC of both the commands and associated responses using an AES key unique to each session. Since these protections are applied to the data at the endpoints of the communication channel, a standard CCID interface can be used without modification, supporting native flows in Windows, Linux and other systems.

On the YubiKey, all of the secure channel operations occur within the secure cryptographic processor, with the plain text of the communication never exposed to outside observers.

_images/flow-when-initializing-a-secure-channel-on-a-yubikey.png

Flow when Initializing a Secure Channel on a YubiKey

YubiKey Secure Channel Support

The YubiKey Secure Channel implementation is separate from the rest of the functionality on the YubiKey. It is only active when a secure channel is established and sits between the input of APDU commands sent into the secure element and the applications on the YubiKey. As such, any command which can be sent as an APDU over CCID can use secure channel, regardless if it is for PIV, OTP or other supported functions. The only exceptions are the FIDO protocols (U2F/WebAuthn), as they do not support communication over the CCID channel.

Transport Keys and Session Keys

Key Usage Creation
Static Secure Channel
Encryption Key
(Key-ENC)
Generate session key
for Decryption/
Encryption (AES)
Imported from
Trusted source

Static Secure Channel
Message Authentication
Code Key (Key-MAC)


Generate session key for
Secure Channel
authentication and Secure
Channel MAC Verification
and Generation (AES)
Imported from
Trusted source



Data Encryption Key
(Key-DEK)


Sensitive Data Decryption
(AES) used for encryption
other Transport key sets
on import
Imported from
Trusted source


Session Secure Channel
Encryption Key (S-ENC)

Used for data
confidentiality

Dynamically
Created Per
Session
Secure Channel Message
Authentication Code
Key for Command (S-MAC)
Used for data and
protocol integrity

Dynamically
Created Per
Session
Secure Channel Message
Authentication Code
Key for Response
(S-RMAC)
User for data and
protocol integrity


Dynamically
Created Per
Session

The Yubico Secure Channel uses two types of AES keys as defined in the SCP03 specifications; these are organized in the static, externally sourced and imported transport keys, and the dynamic, internally generated session keys. The YubiKey can hold up to 3 transport key sets, and generates unique session keys for each session.

Transport Keys

A Transport Key set is made of 3 AES keys:

  • Secure Channel Encryption Key (KEY-ENC)
  • Secure Channel Message Authentication Code Key (Key-MAC)
  • Data Encryption Key (Key-DEK)

The transport key sets used for establishing the secure channels are protected in the SCP03 security domain in the secure element. A transport key set contains three long-lived keys, imported from an external source. When a session is established, the session keys are derived from the long-lived transport key set.

The YubiKey security domain can store three concurrent long-lived transport key sets. In order to import new transport key sets, a secure channel must be established with the security domain. This has to be done with a previously loaded transport key set or the default transport key set.

The Secure Channel Encryption Key is used when initializing a session to generate the Session Secure Channel Encryption Key to be used during that session. Likewise, the Secure Channel MAC Key is used to generate the Session Secure Channel MAC key for Command and Session Secure Channel MAC Key for Response. The Data Encryption Key is only used when importing new transport key sets; the keys to be imported must be encrypted with a known Data Encryption key.

The Transport keys are imported from a CMS or HSM over an established secure channel. YubiKeys are shipped with either default values for the transport keys, or values derived from a Batch Master Key set at programming. Transport keys can and should be rotated on a regular basis depending on the threat model for the organization. Once overwritten on a YubiKey, Transport keys cannot be restored, so they should be archived on the CMS if necessary.

Session Keys

The Session Key set is made of 3 AES keys:

  • Session Secure Channel Encryption Key (S-ENC)
  • Secure Channel Message Authentication Code Key for Command (S-MAC)
  • Secure Channel Message Authentication Code Key for Response (S-RMAC)

Session keys are all dynamically generated at the start of each session, using the Secure Channel Encryption and MAC Transport Keys, as well as the challenge sent from the client at the session start. For more details, refer to the GP SCP03 spec, section 4.1.5.

Every command sent over a secure channel between a client or CMS and a YubiKey is encrypted with the Session Secure Channel Encryption Key. Further, each command from the client has a MAC generated from the contents of the encrypted command APDU and the Session MAC key for Command. This MAC value is used to verify the authenticity of the command sent. Each command MAC value is based off the previous command MAC, enabling a chain which can be verified to ensure the data was not tampered in transit, nor is a command being replayed.

The Response MAC is generated using the encrypted response APDU from the YubiKey and the Session MAC key for Response. Each Response MAC also includes a value derived from the original command MAC sent from the client, providing a verification that the data included in the response corresponds to the last command sent.

Establishing a Secure Channel

A client connecting to any CCID function on the YubiKey, can establish a secure channel at the start of a session. Once a session has been started with a secure channel, all communication to and from the YubiKey over that session must be encrypted; sending a command in plain text will not be accepted and immediately end the session, removing any authorizations granted previously.

To begin, the client will identify the function they wish to communicate with and send the Initialize Update command.

_images/yubikey-secure-channel-initialize-update-flow.png

YubiKey Secure Channel Initialize Update Flow

Step 1:

When a client starts the process of establishing a secure channel with the YubiKey, it will select the Transport key set on the YubiKey to be used, as well as generating a unique challenge. This challenge will be used by the client to derive the session keys which will be utilized going forward. The Initialize Update command is sent from the client, which includes the challenge and Transport Key set identifier, to the YubiKey’s CCID function they want to establish a secure channel with.

Step 2:

The YubiKey, upon receiving an Initialize Update command when a client is starting a session with any CCID facing function, will direct communication between a client and the YubiKey to the Secure Channel function for the remainder of the session. The Secure Channel Function will use the Transport Key Identifier to select the Transport Key set in memory to use. The YubiKey will generate a card challenge and use it, along with the challenge provided from the client, to derive the Session keys for Encryption and MAC using the selected Transport Key set.

The YubiKey will then generate a command MAC from the previously internally generated card challenge using the Session Command MAC key (S-MAC). The card challenge from the YubiKey and associated MAC are sent back to the client.

Step 3:

The client, upon receiving the response from the YubiKey, derives the session keys using the transport key set, the original challenge and the card challenge from the YubiKey. The client then verifies the MAC using the session keys it had generated. Upon a successful verification, the client can be confident that the YubiKey has generated matching session keys. However, at this point, the YubiKey does not know if the client has the correct key set.

To authorize the YubiKey to accept commands from the client, the External Authenticate command must be run next.

_images/yubikey-secure-channel-external-authenticate-flow.png

YubiKey Secure Channel External Authenticate flow

Step 1:The External Authenticate flow starts with the client receiving the card challenge from the YubiKey created during the Initialize Update command. From that point, the client will define the session security settings - the YubiKey only supports the strictest option, with both commands and responses encrypted and have associated MACs generated. As with the Initialize Update flow, the client creates a challenge and encrypts it with the session encryption key. However, a MAC value from the previous challenge is also created and appended to the challenge, creating a chain of commands to be tracked. The Challenge and MAC chain value are then used to create a command MAC using the S-MAC key, and both are sent to the YubiKey.
Step 2:The YubiKey receives the External Authenticate command, and verifies the Challenge using the MAC value and S-MAC key. The MAC Chain is then verified, confirming that the client has the same session keys and a secure channel has been created. At that point, the challenge is decrypted using the S-ENC key, and a response is created. In addition, the challenge from the client is used to create a new MAC chain value, which is appended to the response.
Step 3:The response and MAC Chain value are used to generate a response MAC using the S-RMAC key. Then the response and associated MAC are sent from the YubiKey back to the client. At this point, the response MAC is verified using the S-RMAC key, the MAC Chain value is verified against the command sent previously, and the response is decrypted.

At this point, a secure channel has been established between the client and the YubiKey.

Communicating Over Secure Channel

_images/communicating-over-secure-channel.png

Communicating Over Secure Channel Flow

When Command APDU is sent over an established secure channel, the Yubico Secure Channel follows an encrypt then MAC approach.

Step 1:The command APDU is first encrypted using the Session Encryption Key (S-ENC). It is important to note that any APDU delivering instructions or data (such as a key or certificate) to a YubiKey is considered a Command APDU. Sending an unencrypted command will end the current session and will remove any authorizations.
Step 2:A command MAC is created using the Session MAC key (S-MAC) using the encrypted APDU along with a MAC chain value created from the previous Command MAC. This is sent to the YubiKey.
Step 3:The YubiKey verifies the command MAC, then verifies the MAC Chain links to the previous command sent.
Step 4:With the MAC values verified, the command is decrypted and passed to the YubiKey functionality. A response from the function being communicated with is returned.
Step 5:The response is encrypted with the S-ENC key, then has a MAC chain value derived from the command appended to it. The response and chain MAC value are used with the Session Response MAC key to generate a response MAC. The Response and Response MAC are sent back to the client.
Step 6:The client performs the same operations, verifying the response MAC, verifying the MAC chain, then decrypting the response. The Response APDU are passed to the client.