Class GetAes128SessionKeysCommand
- Namespace
- Yubico.YubiKey.YubiHsmAuth.Commands
- Assembly
- Yubico.YubiKey.dll
The command class for calculating session keys from an AES-128 credential. These session keys are used to establish a secure session with a YubiHSM 2 device.
public sealed class GetAes128SessionKeysCommand : IYubiKeyCommand<GetAes128SessionKeysResponse>
- Inheritance
-
objectGetAes128SessionKeysCommand
- Implements
Remarks
Some steps must be performed prior to calling this command. First, generate an 8-byte challenge, called the "host challenge", using a random or pseudorandom method. Next, the host challenge is sent to the YubiHSM 2 device using the yh_begin_create_session_ext method of the libyubihsm library, where the YubiHSM 2 device responds with an 8-byte "HSM device challenge". Both of these challenges are then used to construct this command.
There is a limit of 8 attempts to authenticate with the credential's password before the credential is deleted. Once the credential is deleted, it cannot be recovered. Supplying the correct password before the credential is deleted will reset the retry counter to 8.
If the credential requires touch (see TouchRequired), then the user must also touch the YubiKey as part of the authentication procedure. See GetAes128SessionKeysResponse for more information on response statuses.
The secure session protocol is based on Secure Channel Protocol 3 (SCP03). The session keys returned by the application are the Session Secure Channel Encryption Key (S-ENC), Secure Channel Message Authentication Code Key for Command (S-MAC), and Secure Channel Message Authentication Code Key for Response (S-RMAC). These session-specific keys are used to encrypt and authenticate commands and responses with a YubiHSM 2 device during a single session. The session keys are discarded afterwards.
The partner response class is GetAes128SessionKeysResponse.
Constructors
GetAes128SessionKeysCommand(string, ReadOnlyMemory<byte>, ReadOnlyMemory<byte>, ReadOnlyMemory<byte>)
Calculate session keys from an AES-128 credential. These session keys are used to encrypt and authenticate commands and responses with a YubiHSM 2 device during a single session.
public GetAes128SessionKeysCommand(string credentialLabel, ReadOnlyMemory<byte> credentialPassword, ReadOnlyMemory<byte> hostChallenge, ReadOnlyMemory<byte> hsmDeviceChallenge)
Parameters
credentialLabel
stringThe label of the credential for calculating the session keys. The string must meet the same requirements as Label.
credentialPassword
ReadOnlyMemory<byte>The password of the credential for calculating the session keys. It must meet the same requirements as CredentialPassword.
hostChallenge
ReadOnlyMemory<byte>The 8 byte challenge generated by the host.
hsmDeviceChallenge
ReadOnlyMemory<byte>The 8 byte challenge generated by the YubiHSM 2 device.
Remarks
The caller is responsible for controlling the buffers which hold
the credentialPassword
,
hostChallenge
, and
hsmDeviceChallenge
. The caller should overwrite
the data after the command is sent. The user's manual entry
"Sensitive Data" has further
details and recommendations for handling this kind of data.
Fields
RequiredChallengeLength
The challenge must be exactly 8 bytes.
public const int RequiredChallengeLength = 8
Field Value
- int
Remarks
The host challenge and HSM device challenge are both supplied to the constructor, and each challenge must meet this length requirement.
Properties
Application
Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies.
public YubiKeyApplication Application { get; }
Property Value
- YubiKeyApplication
YubiKeyApplication.Otp, YubiKeyApplication.Piv, etc.
CredentialLabel
A short name or description of the Credential.
public string CredentialLabel { get; set; }
Property Value
- string
Remarks
The string only contains characters that can be encoded with UTF-8, and its UTF-8 byte count is between MinLabelByteCount and MaxLabelByteCount. Non-printing characters are allowed, as long as they can be encoded with UTF-8. For example, null (UTF-8: 0x00) and Right-To-Left Mark U+200F (UTF-8: 0xE2 0x80 0x8F) would be acceptable.
The System.Text.UTF8Encoding class contains methods such as System.Text.UTF8Encoding.GetByteCount(string) which can be used to validate the string prior to attempting to set it here. It is recommended to use the constructor System.Text.UTF8Encoding.UTF8Encoding(bool, bool) so error detection is enabled for invalid characters.
Exceptions
- ArgumentNullException
Thrown when the supplied string is null.
- ArgumentOutOfRangeException
Thrown when the string's UTF-8 byte count does not meet the length parameters MinLabelByteCount and MaxLabelByteCount.
- ArgumentException
Thrown when there is a character that cannot be encoded with UTF-8. The exact exception may be derived from ArgumentException.
Methods
CreateCommandApdu()
Creates a well-formed CommandApdu to send to the YubiKey.
public CommandApdu CreateCommandApdu()
Returns
- CommandApdu
A valid CommandApdu that is ready to be sent to the YubiKey, or passed along to additional encoders for further processing.
Remarks
This method will first perform validation on all of the parameters and data provided to it. The CommandAPDU it creates should contain all of the data payload for the command, even if it exceeds 65,535 bytes as specified by the ISO 7816-4 specification. The APDU will be properly chained by the device connection prior to being sent to the YubiKey, and the responses will collapsed into a single result.
CreateResponseForApdu(ResponseApdu)
Creates the corresponding IYubiKeyResponse implementation for the current command.
public GetAes128SessionKeysResponse CreateResponseForApdu(ResponseApdu responseApdu)
Parameters
responseApdu
ResponseApduThe ResponseApdu returned by the YubiKey.
Returns
- GetAes128SessionKeysResponse
The implementation of IYubiKeyResponse that parses and presents ths response APDU.