![]() This has to be done with a previously loaded transport key set or the default transport key set. In order to import new transport key sets, a secure channel must be established with the security domain. The YubiKey security domain can store three concurrent long-lived transport key sets. When a session is established, the session keys are derived from the long-lived transport key set. A transport key set contains three long-lived keys, imported from an external source. The transport key sets used for establishing the secure channels are protected in the SCP03 security domain in the secure element. Secure Channel Message Authentication Code Key (Key-MAC).Secure Channel Encryption Key (KEY-ENC).On the YubiKey, all of the secure channel operations occur within the secure cryptographic processor, with the plain text of the communication never exposed to outside observers.Ī Transport Key set is made of 3 AES keys: Since these protections are applied to the data at the endpoints of the communication channel, a standard CCID interface can be used without modification, supporting native flows in Windows, Linux and other systems. Tamper resistance is included by sending a securely encrypted MAC of both the commands and associated responses using an AES key unique to each session. Overhearing resistance is accomplished by the AES encryption of all commands being sent and received by use of a unique, private symmetric AES key. Yubico has implemented a subset of the ( GlobalPlatform Secure Channel Protocol 03) Secure channel specification: specifically, only the most secure implementation including command and response message authentication code (MAC) and encryption.Īt the highest level, implementing a secure channel consists of providing overhearing and tampering resistance to information being sent between an external service, like a Credential Management Solution (CMS) and a smart card.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |