GetAes128SessionKeysCommand Class
Namespace: Yubico.YubiKey.YubiHsmAuth.Commands Assembly: Yubico.YubiKey.dllThe command class for calculating session keys from an AES-128 credential. These session keys are used to establish a secure session with a YubiHSM 2 device.
public sealed class GetAes128SessionKeysCommand : Object, IYubiKeyCommand<GetAes128SessionKeysResponse>Implements
Remarks
Some steps must be performed prior to calling this command. First, generate an 8-byte challenge, called the "host challenge", using a random or pseudorandom method. Next, the host challenge is sent to the YubiHSM 2 device using the yh_begin_create_session_ext method of the libyubihsm library, where the YubiHSM 2 device responds with an 8-byte "HSM device challenge". Both of these challenges are then used to construct this command.
There is a limit of 8 attempts to authenticate with the credential's password before the credential is deleted. Once the credential is deleted, it cannot be recovered. Supplying the correct password before the credential is deleted will reset the retry counter to 8.
If the credential requires touch (see TouchRequired), then the user must also touch the YubiKey as part of the authentication procedure. See GetAes128SessionKeysResponse for more information on response statuses.
The secure session protocol is based on Secure Channel Protocol 3 (SCP03). The session keys returned by the application are the Session Secure Channel Encryption Key (S-ENC), Secure Channel Message Authentication Code Key for Command (S-MAC), and Secure Channel Message Authentication Code Key for Response (S-RMAC). These session-specific keys are used to encrypt and authenticate commands and responses with a YubiHSM 2 device during a single session. The session keys are discarded afterwards.
The partner response class is GetAes128SessionKeysResponse.
Constructors
| Name | Description |
|---|---|
| GetAes128SessionKeysCommand(String, ReadOnlyMemory<Byte>, ReadOnlyMemory<Byte>, ReadOnlyMemory<Byte>) | Calculate session keys from an AES-128 credential. These session keys are used to encrypt and authenticate commands and responses with a YubiHSM 2 device during a single session. |
Fields
| Name | Description |
|---|---|
| RequiredChallengeLength | The challenge must be exactly 8 bytes. |
Properties
| Name | Description |
|---|---|
| Application | Gets the YubiKeyApplication (e.g. PIV, OATH, etc.) to which this command applies. |
| CredentialLabel | A short name or description of the Credential. |
Methods
| Name | Description |
|---|---|
| CreateCommandApdu() | Creates a well-formed CommandApdu to send to the YubiKey. |
| CreateResponseForApdu(ResponseApdu) | Creates the corresponding IYubiKeyResponse implementation for the current command. |