How to program a slot with a Yubico OTP credential
To program a slot with a Yubico OTP credential, you will use a ConfigureYubicoOtp instance. It is instantiated by calling the factory method of the same name on your OtpSession instance.
First, a clarification of terms is needed. “Yubico OTP” is both an OTP credential type and a challenge-response algorithm. In this context, we are referring to the credential type. A Yubico OTP credential is touch-activated. When you touch the YubiKey, it will emit a binary challenge using ModHex characters.
A Yubico OTP credential contains the following three parts, which must be set during instantiation:
Public ID
The public ID is a prefix that is prepended to the actual challenge; it is not used to generate the challenge. The serial number of the YubiKey is often used to generate this ID.
Private ID
The private ID is a six-byte value that is used as part of the algorithm to create a challenge and as a way to validate identity.
Key
The key is a 16-byte AES key that is used as the primary secret for the credential.
ConfigureYubicoOtp example
You can configure the ShortPress slot of your YubiKey with a Yubico OTP credential as follows:
using (OtpSession otp = new OtpSession(yKey))
{
// privateId and aesKey are Memory<byte> references.
otp.ConfigureYubicoOtp(Slot.ShortPress)
.UseSerialNumberAsPublicId()
.UsePrivateId(privateId)
.UseKey(aesKey)
.Execute();
}
In this example, we’re configuring a Yubico OTP credential using the serial number of the YubiKey to generate the public ID and supplying an existing private ID and AES key.
You can also generate a new private ID and AES key to use instead:
using (OtpSession otp = new OtpSession(yKey))
{
Memory<byte> privateId = new byte[ConfigureYubicoOtp.PrivateIdentifierSize];
Memory<byte> aesKey = new byte[ConfigureYubicoOtp.KeySize];
otp.ConfigureYubicoOtp(Slot.ShortPress)
.UseSerialNumberAsPublicId()
.GeneratePrivateId(privateId)
.GenerateKey(aesKey)
.Execute();
// Do whatever is needed with privateId and aesKey, and clear them.
}
The API does not own the object where secrets are stored. Because of this, you must still provide the place to put the generated information. Once you have done what is needed with the data, you should clear the memory where it is located.
Slot reconfiguration and access codes
If a slot is protected by an access code and you wish to reconfigure it with a Yubico OTP credential, you must provide
that access code with UseCurrentAccessCode()
during the ConfigureYubicoOtp()
operation. Otherwise, the operation
will fail and throw the following exception:
System.InvalidOperationException has been thrown. YubiKey Operation Failed. [Warning, state of non-volatile memory is unchanged.]
For more information on slot access codes, please see How to set, reset, remove, and use slot access codes.