SecurityDomainSession Class
Namespace: Yubico.YubiKey.Scp Assembly: Yubico.YubiKey.dllCreate a session for managing the Secure Channel Protocol (SCP) configuration of a YubiKey.
public sealed class SecurityDomainSession : ApplicationSession, IDisposableImplements
Remarks
See the User's Manual entry on SCP.
The Security Domain session provides secure communication and key management capabilities through both SCP03 (symmetric) and SCP11 (asymmetric) protocols. This session can be used in two ways:
-
For direct SCP management:
- Managing SCP03 symmetric key sets (ENC, MAC, DEK)
- Managing SCP11 asymmetric keys (EC public/private key pairs)
- Configuring secure messaging parameters
-
Example:
using (var scp = new SecurityDomainSession(yubiKeyDevice, scpKeyParameters)) { // Manage SCP configuration }
-
As a background security layer:
- Secures communication (encrypted channel) with other applications (e.g., PIV, OTP, OATH, YubiHSM)
- Provides authenticity and confidentiality (encrypted channel) for remote operations
-
Example:
using (var pivSession = new PivSession(yubiKeyDevice, scpKeyParameters)) { // Perform PIV operations with secure messaging }
The session supports various key management operations:
- Loading and replacing SCP03 key sets
- Storing EC private keys (NIST P-256)
- Storing EC public keys (NIST P-256)
- Managing key certificates and metadata
- Deleting keys and resetting configurations
The constructor will throw an exception if:
- The YubiKey does not support SCP
- The provided key parameters are incorrect
Constructors
| Name | Description |
|---|---|
| SecurityDomainSession(IYubiKeyDevice) | Create an unauthenticated instance of SecurityDomainSession, the object that manages the security domain on the YubiKey. |
| SecurityDomainSession(IYubiKeyDevice, ScpKeyParameters) | Create an instance of SecurityDomainSession, the object that manages the security domain on the YubiKey. |
Methods
| Name | Description |
|---|---|
| ClearAllowList(KeyReference) | Clears the allow list for the given KeyReference |
| DeleteKey(KeyReference, Boolean) | Delete one (or more) keys matching the specified criteria. |
| GenerateEcKey(KeyReference, Byte) | Generate a new EC key pair for the given key reference. |
| GetCardRecognitionData() | Retrieves the card recognition data from the YubiKey device. |
| GetCertificates(KeyReference) | Retrieves the certificates associated with the given |
| GetData(Int32, Nullable<ReadOnlyMemory<Byte>>) | Gets data from the YubiKey associated with the given tag. |
| GetKeyInformation() | Retrieves the key information stored in the YubiKey and returns it in a dictionary format. |
| GetSupportedCaIdentifiers(Boolean, Boolean) | Gets the supported CA identifiers for KLOC and/or KLCC. |
| PutKey(KeyReference, ECPrivateKeyParameters, Int32) | Puts an EC private key onto the YubiKey using the Security Domain. |
| PutKey(KeyReference, ECPublicKeyParameters, Int32) | Puts an EC public key onto the YubiKey using the Security Domain. |
| PutKey(KeyReference, StaticKeys, Int32) | Puts an SCP03 key set onto the YubiKey using the Security Domain. |
| Reset() | Perform a factory reset of the Security Domain. This will remove all keys and associated data, as well as restore the default SCP03 static keys, and generate a new (attestable) SCP11b key. |
| StoreAllowlist(KeyReference, IReadOnlyCollection<String>) | Stores an allowlist of certificate serial numbers for a specified key reference using the GlobalPlatform STORE DATA command. |
| StoreCaIssuer(KeyReference, ReadOnlyMemory<Byte>) | Store the SKI (Subject Key Identifier) for the CA of a given key. Requires off-card entity verification. |
| StoreCertificates(KeyReference, IReadOnlyList<X509Certificate2>) | Store a list of certificates associated with the given key reference using the GlobalPlatform STORE DATA command. |
| StoreData(ReadOnlyMemory<Byte>) | Stores data in the Security Domain or targeted Application on the YubiKey using the GlobalPlatform STORE DATA command. |