1. Yubico
  2. Business
  3. YubiHSM 2

YubiHSM 2 asymmetric authentication (2.3+)

Avatar
Andreas Blomberg
Created - Updated


Asymmetric authentication adds an alternative mechanism for session establishment, and then re-uses the existing session protection mechanisms. There is no performance difference once a session is established.

Asymmetric authentication can be set up using a YubiKey (firmware 5.6.x or higher) and YubiKey Manager CLI (Version 5.2.0 or newer). This feature was added in YubiHSM 2 firmware version 2.3, so this feature is unavailable on the YubiHSM 2 FIPS.
It can also be set up using ECC-P256 keys stored on-disk as soft-keys.

 

Setup asymmetric authentication using YubiKey and YubiKey Manager CLI

manual-icon.svg Note:  For YubiKey 5 FIPS Series, or if you have changed the default management password, you will need to add the -m <management password> argument when generating an asymmetric credential on the YubiKey.
  1. Generate an asymmetric credential on the YubiKey 
    ykman hsmauth credentials generate -t -c "StrongPassword#11" "asym_auth"
  2. Export the public key from the YubiKey 
    ykman hsmauth credentials export "asym_auth" ./pub-ec-p256-key.pem
  3. Open yubihsm-shell and create the asymmetric authentication key 
    yubihsm> put authkey_asym 0 0 "asym_auth" all all all ./pub-ec-p256-key.pem
  4. Create a session to the YubiHSM 2 using the private key stored on the YubiKey 
    yubihsm> session ykopen <key_id> "asym_auth" StrongPassword#11

Setup asymmetric authentication using soft keys

  1. First create a ECC-P256 private key on disk. This can be done using OpenSSL 
    openssl ecparam -name P-256 -genkey -noout -out priv-ec-p256-key.pem
  2. Extract the public key from the private key 
    openssl ec -in priv-ec-p256-key.pem -pubout -out pub-ec-p256-key.pem
  3. Open yubihsm-shell and create the asymmetric authentication key on the YubiHSM 2 
    yubihsm> put authkey_asym 0 0 Asym_auth_key all all all ./pub-ec-p256-key.pem
  4. Create a session to the YubiHSM using asymmetric authentication 
    yubihsm> session open_asym <key_id> ./priv-ec-p256-key.pem

 

Delete an asymmetric authentication key on the YubiHSM 2

To delete an asymmetric authentication key on the YubiHSM 2, start yubihsm-shell

yubihsm> delete 0 <key_id> authentication-key

 

Delete an asymmetric authentication key on the YubiKey

To delete an asymmetric authentication key on the YubiKey using YubiKey Manager CLI

ykman hsmauth credentials delete asym_auth