Try to change the management key.
public bool TryChangeManagementKey(PivTouchPolicy touchPolicy)
The touch policy for the new management key. If no argument is given,
the policy will be
true if the management key is changed,
There is no
The YubiKey returned malformed data and authentication, either single or double, could not be performed.
Mutual authentication was performed and the YubiKey was not authenticated.
Upon manufacture of a YubiKey, the PIV application begins with a default management key (see the User's Manual entry on the management key). This method changes it. Note that this method can be run at any time, either during the initial YubiKey setup to change from the default management key, or later, to change it again.
The management key is a Triple-DES key, so it is 24 byte long, no more, no less. It is binary. That's 192 bits. But note that because of "parity" bits, the actual bit strength of a Triple-DES key is 124 bits. And then further, there are attacks on Triple-DES that leave its effective bit strength at 112 bits.
In order to change it, the current management key must be
authenticated. If it has already been authenticated in this session,
this method will still make the appropriate calls to authenticate (it
will perform mutual authentication). That is, if you want to change
the management key, it is not necessary to call
AuthenticateManagementKey first. You can, but it doesn't
matter, because this method will call it again.
This method will collect the current and new management keys using
KeyCollector delegate. If no such delegate has been set,
this method will throw an exception.
KeyCollector has an option to cancel the operation. That
TryAuthenticateManagementKey method will call the
KeyCollector requesting the current management key, and it is
possible that during the collection operations, the user cancels. The
KeyCollector will return to this method noting the
cancellation. In that case, this method will return
Note that this is the only way to get a
false return. Any
other error and this method will throw an exception. In other words,
false return from this method means the user canceled.
Along with the key data itself, a management key has a touch policy. See the User's Manual entry on the PIV touch policy.
This method takes in a touch policy argument, but the argument has a
default value, so it is valid to pass no argument to this method. The
default argument value is the
Default touch policy.
Note: touch policy for the management key is available only on YubiKey 4 and later. A YubiKey prior to 4 will ignore the touch policy and simply set the touch policy of the management key to the default.
The touch policy refers to whether use of the management key will
require touch or not, and if so, always or cached. The policy is
specified using the
PivTouchPolicy enum. If the input is
Never, the YubiKey will not require touch to
complete an operation that requires the management key.
means every operation requires touch, even if the YubiKey had been
touched for an operation shortly before. If
Cached, one touch
will last for 15 seconds. That is, touch for an operation, and if a
second operation requires the management key, and it is executing
less than 15 seconds after the first, touch is not required.
Default will use the YubiKey's default touch policy.
After this method is called, the management key will be authenticated for this session. That is, in order to change the key, the current management key must be authenticated. After changing, the new management key will be considered authenticated, and any subsequent operation that requires management key authentication in order to execute (e.g. generate a key pair) will work.