Closed pvmraghunandan closed 1 year ago
Hey @pvmraghunandan, that's a great question.
I think I would summarize the answer with two points:
I hope I've answered your question. Please feel free to ask followup questions, if you have any.
@GregDomzalski Thanks for detailed explanation. Couple of follow up questions on same aspect.
I am also curious on how we implemented for Linux & Mac OS interacting to Yubi Key. Can you please share similar WinScard equivalent for those as well?
And as per documentation here, if we use Base CSP, Microsoft takes care of Pin Caching & Data Caching. How is that being taken care in SDK Currently?
Also, a little more generic question - How is Yubi Key comparable to CAC Cards? Does yubi key also stores different certificates for Encryption, Signature and so on?
I am also curious on how we implemented for Linux & Mac OS interacting to Yubi Key. Can you please share similar WinScard equivalent for those as well?
We use PCSC-lite for Linux and macOS. It uses (mostly) the same API definition as WinSCard.
And as per documentation here, if we use Base CSP, Microsoft takes care of Pin Caching & Data Caching. How is that being taken care in SDK Currently?
Unless the YubiKey performs the caching - which I don't think it will, at least, not in the ways described by that document - then the SDK will not either. It is an exercise left to the reader. The application would need to implement it.
Also, a little more generic question - How is Yubi Key comparable to CAC Cards? Does yubi key also stores different certificates for Encryption, Signature and so on?
I'm not that familiar with the CAC card specification. I believe there is some overlap. Specifically regarding certs and keys - yes, there are different ones for Encryption and Signature. You can read more about the various slots in PIV here.
Thanks @GregDomzalski . Appreciate for the response. To give bit more clarity on what we are trying to do..
We want to Sign and Decrypt S/MIME messages and other application related payloads. We would like to fetch Private key from Yubi Key and use it for Decrypt purpose and Signature for Signing. Application encrypts with recipient public key and sign with sender private key (from key). In receiver side, data is decrypted using private key fetched from key.
Can you please provide some sample that we can acheive? Public keys we want to store during provisioning into our servers. Also are there any local emulators we can use during development?
The private key can never leave the YubiKey. If you need to use the private key elsewhere off-YubiKey, you would need to generate the key-pair through some other means, and then import the private key and certificate into the YubiKey later.
Take a look at the PivSession.Sign
method. This is the function that will sign data using a private key stored on the YubiKey. Note that there is no PivSession.Verify
method as public key functions can happen anywhere (and doesn't require the secure environment that the YubiKey provides.)
Take a look at the PivSession.Sign API reference, and the ECDSA signatures user manual to see how this might work with the YubiKey. The latter article also discusses how signature verification can be completed with .NET's cryptographic library.
Closing issue due to inactivity. Please feel free to open a new issue if you have additional questions.
As per Microsoft Documentation here, it is recommended to use the Mini Driver and Application should talk through the Crypto APIs (or) CNG. But while looking at the code, we are using Native DLL (WinScard.dll) directly. Any reason for taking this approach.
Excuse me if it's a lame question