Begin the mutual authentication process for establishing a Session.


Start negotiating a Session with the device. This command tells the device which Authentication Key to use and sends the host challenge part. The response will contain the device challenge and device authentication part. To establish the session continue with Authenticate Session.

Shell Example

Create a new session with Authentication Key 1 using the password password. This does both the session creation and authentication steps:

yubihsm> session open 1 password
Created session 0

Protocol Details


Tc = 0x03

Lc = 10

Vc = I || H

I := Key set ID (2 bytes)

H := Host Challenge (8 bytes)

The device generates a random Card Challenge C (8 bytes).

The device derives three Session Keys (S-ENC, S-MAC and S-RMAC) starting from the set of two static keys identified by I (K-ENC and K-MAC) and the two challenges H and C, using the same procedure described in SCP03.

The device uses S-MAC together with H and C to compute the Card Cryptogram A. The host will compute the Host Cryptogram B after having received C and derived S-MAC.

On success the device generates a Session ID S (1 byte) and sets the message counter for the current Session to 1.


Tr = 0x83

Lr = 17

Vr = S || C || A