Security Domain key management
The Security Domain supports management of both symmetric (SCP03) and asymmetric (SCP11) keys. This document describes the key types, their usage, and management operations.
For protocol details and secure channel implementation, see the Secure Channel Protocol (SCP) documentation.
Key types
The Security Domain manages two main types of keys:
- SCP03 Keys: Symmetric AES-128 keys used for secure messaging
- SCP11 Keys: Asymmetric NIST P-256 keys and X.509-certificates used for authentication and key agreement
SCP03 key management
Each SCP03 key set consists of three AES-128 keys that work together to secure communications:
| Key Type | Key ID (KID) | Purpose |
|---|---|---|
| Key-ENC | 0x1 | Channel encryption key for securing messages |
| Key-MAC | 0x2 | Channel MAC key for message authentication |
| Key-DEK | 0x3 | Data encryption key for sensitive data |
Managing SCP03 keys
// Put a new SCP03 key set
var kvn = 0x01;
var keyRef = KeyReference.Create(ScpKeyIds.Scp03, kvn);
var staticKeys = new StaticKeys(keyDataMac, keyDataEnc, keyDataDek);
session.PutKey(keyRef, staticKeys);
// Replace existing keys
var newKeys = new StaticKeys(newMacKey, newEncKey, newDekKey);
session.PutKey(keyRef, newKeys, kvnToReplace);
Key Version Numbers (KVN)
SCP03 key sets are identified by Key Version Numbers:
- Default key set: KVN=0xFF (publicly known, no security)
- Each YubiKey can store up to three custom SCP03 key sets
Note
When adding the first custom key set, the default keys are automatically removed.
SCP11 key management
SCP11 uses NIST P-256 elliptic curve cryptography. Keys can be:
- Generated on the YubiKey
- Imported from external sources
Generating keys
// Generate new EC key pair
var keyRef = KeyReference.Create(ScpKeyIds.Scp11B, keyVersionNumber);
var publicKey = session.GenerateEcKey(keyRef);
Importing keys
// Import existing private key
var privateKey = new ECPrivateKeyParameters(ecdsa);
session.PutKey(keyRef, privateKey);
// Import public key
var publicKey = new ECPublicKeyParameters(ecdsaPublic);
session.PutKey(keyRef, publicKey);
Key management operations
Querying key information
// Get information about installed keys
var keyInfo = session.GetKeyInformation();
foreach (var entry in keyInfo)
{
var keyRef = entry.Key; // KeyReference containing ID and Version
var components = entry.Value; // Dictionary of key components
Console.WriteLine($"Key {keyRef.Id:X2}:{keyRef.VersionNumber:X2}");
}
Deleting keys
Keys can be deleted individually or reset to factory defaults:
// Delete specific key
session.DeleteKey(keyRef);
// Reset all keys to factory defaults
session.Reset();
Warning
Resetting removes all custom keys and restores factory defaults (within the Security Domain). Ensure you have backups before resetting.
Key rotation
Here are some simple key rotation procedures:
SCP03 key rotation
// Authenticate with current keys
using var session = new SecurityDomainSession(yubiKeyDevice, scpParams);
// Replace with new keys
var newKeyRef = KeyReference.Create(ScpKeyIds.Scp03, keyVersionNumber);
session.PutKey(newKeyRef, newStaticKeys, kvnToReplace);
SCP11 key rotation
using var session = new SecurityDomainSession(yubiKeyDevice, scpParams);
// Generate new key pair
var newKeyRef = KeyReference.Create(ScpKeyIds.Scp11B, keyVersionNumber);
var newPublicKey = session.GenerateEcKey(newKeyRef, kvnToReplace);
Security considerations
Key Protection
- Use unique keys per device when possible
- Consider using SCP11 for mutual authentication
Key Version Management
- Track which keys are loaded on each YubiKey
- Track KVNs in use
Default Keys
- Default SCP03 keys provide no security
- Replace default keys in production environments
- Cannot retain default keys alongside custom keys
Important
The YubiKey provides no metadata about installed keys beyond what's available through GetKeyInformation(). Your
application must track additional key management details.