The YubiKey, upon receiving an Initialize Update command when a client is starting a session with any CCID facing function, will direct communication between a client and the YubiKey to the Secure Channel function for the remainder of the session. The Initialize Update command is sent from the client, which includes the challenge and Transport Key set identifier, to the YubiKey’s CCID function they want to establish a secure channel with. This challenge will be used by the client to derive the session keys which will be utilized going forward. When a client starts the process of establishing a secure channel with the YubiKey, it will select the Transport key set on the YubiKey to be used, as well as generating a unique challenge. YubiKey Secure Channel Initialize Update Flow Step 1: Each Response MAC also includes a value derived from the original command MAC sent from the client, providing a verification that the data included in the response corresponds to the last command sent. The Response MAC is generated using the encrypted response APDU from the YubiKey and the Session MAC key for Response. Each command MAC value is based off the previous command MAC, enabling a chain which can be verified to ensure the data was not tampered in transit, nor is a command being replayed. This MAC value is used to verify the authenticity of the command sent. Further, each command from the client has a MAC generated from the contents of the encrypted command APDU and the Session MAC key for Command. For more details, refer to the GP SCP03 spec, section 4.1.5.Įvery command sent over a secure channel between a client or CMS and a YubiKey is encrypted with the Session Secure Channel Encryption Key. Session keys are all dynamically generated at the start of each session, using the Secure Channel Encryption and MAC Transport Keys, as well as the challenge sent from the client at the session start.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |