Class SetManagementKeyCommand

Namespace

Yubico.YubiKey.Piv.Commands

Assembly

Yubico.YubiKey.dll

Set the value of the PIV management key.

public sealed class SetManagementKeyCommand : IYubiKeyCommand<SetManagementKeyResponse>

Inheritance

object

SetManagementKeyCommand

Implements

IYubiKeyCommand<SetManagementKeyResponse>

Remarks

The partner Response class is SetManagementKeyResponse.

The PIV management key is needed to perform some PIV operations, such as generating a key pair. See the User's Manual entry on PIV commands access control for information on when the management key is required.

Note that you need to authenticate the current PIV management key before setting it to a new value with this command.

Upon manufacture of a YubiKey, the PIV application begins with a default management key (see the User's Manual entry on the management key). This command changes it. Note that this command can be run at any time, either during initialization, later, to change from the default management key, or to change it again later on.

For YubiKeys before version 5.4.2, the management key is a Triple-DES key, so it is 24 byte long, no more, no less. It is binary. That's 192 bits. But note that because of "parity" bits, the actual bit strength of a Triple-DES key is 124 bits. And then further, there are attacks on Triple-DES that leave its effective bit strength at 112 bits.

Starting with YubiKey 5.4.2, it is possible to use an AES key as the management key. An AES key can be 128, 192, or 256 bits (16, 24, and 32 bytes respectively). If the YubiKey is version 5.4.2 or later, you can use this command to set the management key to any valid size of an AES key.

To determine if the YubiKey being set can have an AES management key, use HasFeature:

IYubiKeyDevice yubiKeyDevice;
bool aesCapable = yubiKeyDevice.HasFeature(YubiKeyFeature.PivManagementKeyAes);

Along with the key data itself, a management key has a touch policy.

Note: touch policy is available only on YubiKey 4 and later. A YubiKey prior to 4 will ignore the touch policy and simply perform its default.

The touch policy refers to whether use of the management key will require touch or not, and if so, always or cached. The policy is specified using the PivTouchPolicy enum. If the input is None or Never, the YubiKey will not require touch to complete an operation that requires the management key. Always means every operation requires touch, even if the YubiKey had been touched for an operation shortly before. If Cached, one touch will last for 15 seconds. That is, touch for an operation, and if a second operation requires the management key, and it is executing less than 15 seconds after the first, touch is not required. Default will use the YubiKey's default touch policy. Currently, for all YubiKeys, the default touch policy of management keys is Never.

When you pass the new management key to this class, it will copy a reference to the object passed in, it will not copy the value. Because of this, you cannot overwrite the key data until this object is done with it. It will be safe to overwrite the key data after calling connection.SendCommand. See the User's Manual entry on sensitive data for more information on this topic.

Example:

/* This example assumes the application has a method to collect a
 * management key.
 */
using System.Security.Cryptography;
byte[] mgmtKey;
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
mgmtKey = CollectMgmtKey();
var setManagementKeyCommand =
    new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Never, PivAlgorithm.AES192);
SetManagementKeyResponse setManagementKeyResponse =
     connection.SendCommand(setManagementKeyCommand);
if (setManagementKeyResponse != ResponseStatus.Success)
{
  // Handle error
}

CryptographicOperations.ZeroMemory(mgmtKey);

Constructors

SetManagementKeyCommand(ReadOnlyMemory<byte>, PivAlgorithm)

Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key as input and will set the TouchPolicy to the default state and the Algorithm to the algorithm provided.

public SetManagementKeyCommand(ReadOnlyMemory<byte> newKey, PivAlgorithm algorithm)

Parameters

newKey ReadOnlyMemory<byte>

The bytes that make up the new management key.

algorithm PivAlgorithm

The algorithm of the new management key.

Remarks

This constructor is provided for those developers who want to use the object initializer pattern. For example:

var command = new SetManagementKeyCommand(keyData)
{
    TouchPolicy = PivTouchPolicy.Cached,
    Algorithm = PivAlgorithm.AES192,
};

Valid algorithms are PivAlgorithm.TripleDes, PivAlgorithm.Aes128, PivAlgorithm.Aes192, and PivAlgorithm.Aes256. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192. YubiKeys with firmware versions prior to 5.4.2 can only use PivAlgorithm.TripleDes.

Note that you need to authenticate the current PIV management key before setting it to a new value with this command.

SetManagementKeyCommand(ReadOnlyMemory<byte>, PivTouchPolicy, PivAlgorithm)

Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key, the touch policy, and the algorithm as input.

public SetManagementKeyCommand(ReadOnlyMemory<byte> newKey, PivTouchPolicy touchPolicy, PivAlgorithm algorithm)

Parameters

newKey ReadOnlyMemory<byte>

The bytes that make up the new management key.

touchPolicy PivTouchPolicy

The touch policy for the management key.

algorithm PivAlgorithm

The algorithm of the new management key.

Remarks

Note that a touchPolicy of PivTouchPolicy.Default or None is equivalent to Never.

Valid algorithms are PivAlgorithm.TripleDes, PivAlgorithm.Aes128, PivAlgorithm.Aes192, and PivAlgorithm.Aes256. FIPS YubiKeys versions 5.7 and greater require PivAlgorithm.Aes192. YubiKeys with firmware versions prior to 5.4.2 can only use PivAlgorithm.TripleDes.

Note also that you need to authenticate the current PIV management key before setting it to a new value with this command.

Properties

Algorithm

The algorithm of the management key. On YubiKeys before version 5.4.2, only Triple-DES (PivAlgorithm.TripleDes) is supported. Beginning with 5.4.2, the Algorithm can be Aes128, Aes192, Aes256, or TripleDes. The default is TripleDes for keys with firmware 5.6.x and earlier and Aes192 for YubiKeys with firmware 5.7.x and later.

public PivAlgorithm Algorithm { get; set; }

Property Value

PivAlgorithm

Application

Gets the YubiKeyApplication to which this command belongs. For this command it's PIV.

public YubiKeyApplication Application { get; }

Property Value

YubiKeyApplication

YubiKeyApplication.Piv

TouchPolicy

The touch policy the key will have. None and Default are equivalent to Never.

public PivTouchPolicy TouchPolicy { get; set; }

Property Value

PivTouchPolicy

Methods

CreateCommandApdu()

Creates a well-formed CommandApdu to send to the YubiKey.

public CommandApdu CreateCommandApdu()

Returns

CommandApdu

A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.

Remarks

This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.

CreateResponseForApdu(ResponseApdu)

Creates the corresponding IYubiKeyResponse implementation for the current command.

public SetManagementKeyResponse CreateResponseForApdu(ResponseApdu responseApdu)

Parameters

responseApdu ResponseApdu

The ResponseApdu returned by the YubiKey.

Returns

SetManagementKeyResponse

The implementation of IYubiKeyResponse that parses and presents ths response APDU.