SetManagementKeyCommand Class

Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dll

Set the value of the PIV management key.

public sealed class SetManagementKeyCommand : IYubiKeyCommand<SetManagementKeyResponse>

Inheritance object SetManagementKeyCommand

Implements

IYubiKeyCommand<SetManagementKeyResponse>

Remarks

The partner Response class is SetManagementKeyResponse.

The PIV management key is needed to perform some PIV operations, such as generating a key pair. See the User's Manual entry on PIV commands access control for information on when the management key is required.

Note that you need to authenticate the current PIV management key before setting it to a new value with this command.

Upon manufacture of a YubiKey, the PIV application begins with a default management key (see the User's Manual entry on the management key). This command changes it. Note that this command can be run at any time, either during initialization, later, to change from the default management key, or to change it again later on.

For YubiKeys before version 5.4.2, the management key is a Triple-DES key, so it is 24 byte long, no more, no less. It is binary. That's 192 bits. But note that because of "parity" bits, the actual bit strength of a Triple-DES key is 124 bits. And then further, there are attacks on Triple-DES that leave its effective bit strength at 112 bits.

Starting with YubiKey 5.4.2, it is possible to use an AES key as the management key. An AES key can be 128, 192, or 256 bits (16, 24, and 32 bytes respectively). If the YubiKey is version 5.4.2 or later, you can use this command to set the management key to any valid size of an AES key.

To determine if the YubiKey being set can have an AES management key, use HasFeature:

IYubiKeyDevice yubiKeyDevice;
bool aesCapable = yubiKeyDevice.HasFeature(YubiKeyFeature.PivManagementKeyAes);

Along with the key data itself, a management key has a touch policy.

Note: touch policy is available only on YubiKey 4 and later. A YubiKey prior to 4 will ignore the touch policy and simply perform its default.

The touch policy refers to whether use of the management key will require touch or not, and if so, always or cached. The policy is specified using the PivTouchPolicy enum. If the input is None or Never, the YubiKey will not require touch to complete an operation that requires the management key. Always means every operation requires touch, even if the YubiKey had been touched for an operation shortly before. If Cached, one touch will last for 15 seconds. That is, touch for an operation, and if a second operation requires the management key, and it is executing less than 15 seconds after the first, touch is not required. Default will use the YubiKey's default touch policy. Currently, for all YubiKeys, the default touch policy of management keys is Never.

When you pass the new management key to this class, it will copy a reference to the object passed in, it will not copy the value. Because of this, you cannot overwrite the key data until this object is done with it. It will be safe to overwrite the key data after calling connection.SendCommand. See the User's Manual entry on sensitive data for more information on this topic.

Example:

/* This example assumes the application has a method to collect a
 * management key.
 */
using System.Security.Cryptography;
byte[] mgmtKey;
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
mgmtKey = CollectMgmtKey();
var setManagementKeyCommand =
    new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Never, PivAlgorithm.AES192);
SetManagementKeyResponse setManagementKeyResponse =
     connection.SendCommand(setManagementKeyCommand);
if (setManagementKeyResponse != ResponseStatus.Success)
{
  // Handle error
}

CryptographicOperations.ZeroMemory(mgmtKey);

Constructors

Name	Description
SetManagementKeyCommand(ReadOnlyMemory<byte>)
SetManagementKeyCommand(ReadOnlyMemory<byte>, PivAlgorithm)	Initializes a new instance of the `SetManagementKeyCommand` class. This command takes the new management key as input and will set the `TouchPolicy` to the default state and the `Algorithm` to the algorithm provided.
SetManagementKeyCommand(ReadOnlyMemory<byte>, PivTouchPolicy)
SetManagementKeyCommand(ReadOnlyMemory<byte>, PivTouchPolicy, PivAlgorithm)	Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key, the touch policy, and the algorithm as input.

Properties

Name	Description
Algorithm	The algorithm of the management key. On YubiKeys before version 5.4.2, only Triple-DES (`PivAlgorithm.TripleDes`) is supported. Beginning with 5.4.2, the Algorithm can be `Aes128`, `Aes192`, `Aes256`, or `TripleDes`. The default is `TripleDes` for keys with firmware 5.6.x and earlier and `Aes192` for YubiKeys with firmware 5.7.x and later.
Application	Gets the YubiKeyApplication to which this command belongs. For this command it's PIV.
TouchPolicy	The touch policy the key will have. None and Default are equivalent to Never.

Methods

Name	Description
CreateCommandApdu()	Creates a well-formed CommandApdu to send to the YubiKey.
CreateResponseForApdu(ResponseApdu)	Creates the corresponding IYubiKeyResponse implementation for the current command.