Clarification on the CSP Implementation

[pvmraghunandan]

As per Microsoft Documentation here, it is recommended to use the Mini Driver and Application should talk through the Crypto APIs (or) CNG. But while looking at the code, we are using Native DLL (WinScard.dll) directly. Any reason for taking this approach.

Excuse me if it's a lame question

[GregDomzalski]

Hey @pvmraghunandan, that's a great question.

I think I would summarize the answer with two points:

1. This SDK, as it stands right now, is for communicating and interacting with the YubiKey. We would love to start building higher level platform integrations with our .NET libraries at some point in the future. But right now, the focus is giving app developers a nice way to (hopefully) easily interact with all of the functionality that the YubiKey provides. \ Put another way - this SDK sits at about the same altitude as our other YubiKey libraries such as libykpers, libykpiv, or libfido2. In the case of libykpiv (the C PIV library), the Mini Driver actually is built on top of that library. Libykpiv provides the interface to the YubiKey in C, and the Mini Driver uses that interface to then integrate with Windows. \ So in the future, I could see us using the .NET SDK and providing similar platform integrations - say to the .NET System.Security.Cryptography objects, and to other libraries like BouncyCastle. (These are just ideas) \ That said, we do already provide a few helper routines in the PIV namespace that allow interoperating between the .NET standard types and with the YubiKey specific formats for things like public and private keys.
2. Our aim is to provide a cross-platform .NET experience. While a lot of our customers are using Windows and .NET Framework, we do also have other customers and a lot of interest around using .NET on macOS and Linux platforms. We also would like to do our part to help spread the C# and .NET development experience to those platforms. \ The Mini Driver is a Windows only concept. Very early in this project, we discussed taking a dependency for PIV - but very quickly realized that would not work out for us if targeting non-Windows platforms was also a goal.

I hope I've answered your question. Please feel free to ask followup questions, if you have any.

[pvmraghunandan]

@GregDomzalski Thanks for detailed explanation. Couple of follow up questions on same aspect.

I am also curious on how we implemented for Linux & Mac OS interacting to Yubi Key. Can you please share similar WinScard equivalent for those as well?

And as per documentation here, if we use Base CSP, Microsoft takes care of Pin Caching & Data Caching. How is that being taken care in SDK Currently?

Also, a little more generic question - How is Yubi Key comparable to CAC Cards? Does yubi key also stores different certificates for Encryption, Signature and so on?

[GregDomzalski]

I am also curious on how we implemented for Linux & Mac OS interacting to Yubi Key. Can you please share similar WinScard equivalent for those as well?

We use PCSC-lite for Linux and macOS. It uses (mostly) the same API definition as WinSCard.

And as per documentation here, if we use Base CSP, Microsoft takes care of Pin Caching & Data Caching. How is that being taken care in SDK Currently?

Unless the YubiKey performs the caching - which I don't think it will, at least, not in the ways described by that document - then the SDK will not either. It is an exercise left to the reader. The application would need to implement it.

Also, a little more generic question - How is Yubi Key comparable to CAC Cards? Does yubi key also stores different certificates for Encryption, Signature and so on?

I'm not that familiar with the CAC card specification. I believe there is some overlap. Specifically regarding certs and keys - yes, there are different ones for Encryption and Signature. You can read more about the various slots in PIV here.

[pvmraghunandan]

Thanks @GregDomzalski . Appreciate for the response. To give bit more clarity on what we are trying to do..

We want to Sign and Decrypt S/MIME messages and other application related payloads. We would like to fetch Private key from Yubi Key and use it for Decrypt purpose and Signature for Signing. Application encrypts with recipient public key and sign with sender private key (from key). In receiver side, data is decrypted using private key fetched from key.

Can you please provide some sample that we can acheive? Public keys we want to store during provisioning into our servers. Also are there any local emulators we can use during development?

[GregDomzalski]

The private key can never leave the YubiKey. If you need to use the private key elsewhere off-YubiKey, you would need to generate the key-pair through some other means, and then import the private key and certificate into the YubiKey later.

Take a look at the PivSession.Sign method. This is the function that will sign data using a private key stored on the YubiKey. Note that there is no PivSession.Verify method as public key functions can happen anywhere (and doesn't require the secure environment that the YubiKey provides.)

Take a look at the PivSession.Sign API reference, and the ECDSA signatures user manual to see how this might work with the YubiKey. The latter article also discusses how signature verification can be completed with .NET's cryptographic library.

[GregDomzalski]

Closing issue due to inactivity. Please feel free to open a new issue if you have additional questions.