Inquiry about YubiHSM 2 Authentication & Access control

[hamda-almenhali]

Hello,

I recently acquired a YubiHSM 2 device and am keen to delve deeper into its capabilities. Specifically, I'm interested in understanding its potential for manual configuration and the feasibility of implementing access controls programmatically.

Could you kindly assist me with the following queries:

Manual Configuration: Is it feasible to manually configure the YubiHSM 2 device? If so, I'd appreciate insights into the available customization options.

Access Controls via Software Code: Can access controls, such as user permissions definition or cryptographic policy setup, be added through software code or programmatically?

Recommended Tools and APIs: Are there any recommended tools, APIs, or documentation tailored for developers aiming to integrate and configure the YubiHSM 2 device programmatically?

PKCS File Configuration and Software Code Integration: Is it possible to configure the PKCS file or write software code to interact with it directly?

I'm eager to learn more about the YubiHSM 2 device's potential and would be immensely grateful for any guidance or resources you could provide on this matter.

Thank you in advance for your assistance.

[aveenismail]

Hi. Thank you for giving the YubiHSM2 a try.

• Manual Configuration: If by that you mean through the command line, then yes. More on that bellow

• Access Controls via Software Code: I'm not exactly sure what you mean by "via software code". The YubiHSM2 does not have a concept of users, however, access control can be achieved via a combination of domains and capabilities. Each object on the YubiHSM2 operates within the domains (a total of 16 possible domains) it was assigned to when created. Also, each object can only perform the operation it was given the capability to perform when the object was created. Further more, those parameters need to align with authentication key used to access the object.

For example, if the user is logged in with authentication key A, which operates on the domains 3 and 6, and if there exists an RSA key K that operates within the domains 6 and 7, then that user will be able to list the key K as an available key because both A and K operate within domain 6. However, if that user wants to sign data using key K and RSA-PKCS1v1.5, they will only be able to do so if both A and K were given the capability to sign using RSA-PKCS1v1.5 when they were created. If either A or K are missing that capability, that user will not be able to sign data with key K. Any object can be created with multiple domains and multiple capabilities.

There is a lot of documentation and many user guides available for the YubiHSM2 available on https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/index.html

• Recommended Tools and APIs: There are several tools available to interact with the YubiHSM2, including a command line tool called yubihsm-shell as well as a library called libyubihsm (available in C, Python, Rust and JAVA) that can be used by developers to write software that interact directory with the YubiHSM. While these are the most comprehensive tools, there are other tools available for specific use cases. Easiest way to get all the available tools is to download the YubiHSM SDK from https://developers.yubico.com/YubiHSM2/Releases/

• PKCS File Configuration and Software Code Integration: There is an implementation of PKCS11 available as part of the YubiHSM SDK (called yubihsm_pkcs11)

I hope these answers were helpful. As mentioned, a lot of documentation is available in https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/index.html