SetManagementKeyCommand Class
Namespace: Yubico.YubiKey.Piv.Commands Assembly: Yubico.YubiKey.dllSet the value of the PIV management key.
public sealed class SetManagementKeyCommand : Object, IYubiKeyCommand<SetManagementKeyResponse>
Implements
Remarks
The partner Response class is SetManagementKeyResponse.
The PIV management key is needed to perform some PIV operations, such as generating a key pair. See the User's Manual entry on PIV commands access control for information on when the management key is required.
Note that you need to authenticate the current PIV management key before setting it to a new value with this command.
Upon manufacture of a YubiKey, the PIV application begins with a default management key (see the User's Manual entry on the management key). This command changes it. Note that this command can be run at any time, either during initialization, later, to change from the default management key, or to change it again later on.
For YubiKeys before version 5.4.2, the management key is a Triple-DES key, so it is 24 byte long, no more, no less. It is binary. That's 192 bits. But note that because of "parity" bits, the actual bit strength of a Triple-DES key is 124 bits. And then further, there are attacks on Triple-DES that leave its effective bit strength at 112 bits.
Starting with YubiKey 5.4.2, it is possible to use an AES key as the management key. An AES key can be 128, 192, or 256 bits (16, 24, and 32 bytes respectively). If the YubiKey is version 5.4.2 or later, you can use this command to set the management key to any valid size of an AES key.
To determine if the YubiKey being set can have an AES management key, use
HasFeature
:
IYubiKeyDevice yubiKeyDevice;
bool aesCapable = yubiKeyDevice.HasFeature(YubiKeyFeature.PivManagementKeyAes);
Along with the key data itself, a management key has a touch policy.
Note: touch policy is available only on YubiKey 4 and later. A YubiKey prior to 4 will ignore the touch policy and simply perform its default.
The touch policy refers to whether use of the management key will require
touch or not, and if so, always or cached. The policy is specified using
the PivTouchPolicy
enum. If the input is None
or
Never
, the YubiKey will not require touch to complete an operation
that requires the management key. Always
means every operation
requires touch, even if the YubiKey had been touched for an operation
shortly before. If Cached
, one touch will last for 15 seconds.
That is, touch for an operation, and if a second operation requires the
management key, and it is executing less than 15 seconds after the first,
touch is not required. Default
will use the YubiKey's default
touch policy. Currently, for all YubiKeys, the default touch policy of
management keys is Never
.
When you pass the new management key to this class, it will copy a
reference to the object passed in, it will not copy the value. Because of
this, you cannot overwrite the key data until this object is done with
it. It will be safe to overwrite the key data after calling
connection.SendCommand
. See the User's Manual
entry on sensitive data for
more information on this topic.
Example:
/* This example assumes the application has a method to collect a
* management key.
*/
using System.Security.Cryptography;
byte[] mgmtKey;
IYubiKeyConnection connection = key.Connect(YubiKeyApplication.Piv);
mgmtKey = CollectMgmtKey();
var setManagementKeyCommand =
new SetManagementKeyCommand(mgmtKey, PivTouchPolicy.Never, PivAlgorithm.AES192);
SetManagementKeyResponse setManagementKeyResponse =
connection.SendCommand(setManagementKeyCommand);
if (setManagementKeyResponse != ResponseStatus.Success)
{
// Handle error
}
CryptographicOperations.ZeroMemory(mgmtKey);
Constructors
Name | Description |
---|---|
SetManagementKeyCommand(ReadOnlyMemory<Byte>) | Initializes a new instance of the |
SetManagementKeyCommand(ReadOnlyMemory<Byte>, PivTouchPolicy) | Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key and the touch policy as input. |
SetManagementKeyCommand(ReadOnlyMemory<Byte>, PivTouchPolicy, PivAlgorithm) | Initializes a new instance of the SetManagementKeyCommand class. This command takes the new management key, the touch policy, and the algorithm as input. |
Properties
Name | Description |
---|---|
Algorithm | The algorithm of the management key. On YubiKeys before version
5.4.2, only Triple-DES ( |
Application | Gets the YubiKeyApplication to which this command belongs. For this command it's PIV. |
TouchPolicy | The touch policy the key will have. None and Default are equivalent to Never. |
Methods
Name | Description |
---|---|
CreateCommandApdu() | Creates a well-formed CommandApdu to send to the YubiKey. |
CreateResponseForApdu(ResponseApdu) | Creates the corresponding IYubiKeyResponse implementation for the current command. |