Credential
The core component of the YubiHSM Auth application is the credential, which contains a cryptographic key set that is used to establish secure sessions with a YubiHSM 2. Once a credential is added (see Add Credential), it cannot be changed or modified in any way.
Adding or deleting a YubiHSM Auth credential requires a 16-byte management key.
Properties
Each credential contains four major properties. The cryptographic key set is the property used to calculate session keys. The other properties are used for identification (label) and access control (password and touch requirement).
Cryptographic key set
The YubiHSM 2 uses a secure channel protocol based on symmetric keys. This means that both parties (YubiKey and YubiHSM 2) must have identical copies of the key set in order to create a secure session.
The key set is a pair of AES-128 keys (each 128 bits in length):
- ENC: an AES-128 key used for deriving keys for command and response encryption
- MAC: an AES-128 key used for deriving keys for command and response authentication
The key set must be generated on the host machine and then stored on both the YubiKey (as a YubiHSM Auth credential) and the YubiHSM 2.
Label
This is a unique identifier for the credential. It is a UTF-8 encoded string and must be between 1 and 64 bytes long.
Password
This 16-byte password is always required when using the credential to calculate session keys. There is a limit of eight retries, after which the credential will be permanently deleted. The retry counter is reset when the correct password is supplied.
Touch requirement
Optionally, the credential may be configured to require touch when using the credential to calculate session keys. A touch requirement provides an additional layer of security by ensuring a user is physically present and in control of the YubiKey. The YubiKey has a capacitive touch sensor that cannot be controlled by software.