Change an Authentication Key.


Replace the Authentication Key used to establish the current Session. It is not possible to modify any of the metadata connected to the Object such as Domains or Capabilities. Only the payload data of the Object (i.e., the long-lived symmetric keys) will be modified.

The same PBKDF2 derivation scheme described in Session is available.

Shell Example

Change the current Authentication Key deriving it from the password newpassword:

yubihsm> change authkey 0 1 newpassword
Changed Authentication key 0x0001

Protocol Details


Tc = 0x6c

Lc = 2 + 1 + 16 + 16

Vc = I || A || Ke || Km

Replace the currently used Authentication Key with a new set of keys.

I := Object ID of the Authentication Key (2 bytes)

A := Algorithm (1 byte)

Ke := Encryption Key (16 bytes)

Km := Mac Key (16 bytes)


Tr = 0xec

Lr = 2

Vr = I

I := Object ID of the changed Object (2 bytes)