HMAC Keys in Windows Companion Device Framework RRS feed

  • Question

  • Recently I became interested in the Companion Device Framework as described in here:

    At the moment I'm building a prototype for the authentication with a Raspberry Pi 3 on IoT Core and everything went fine so far but I still got an open question concerning the HMAC values and the storing of the keys:

    As seen in picture 3( ) the DeviceKey is only stored on the Companion Device and on the Companion Auth Service side there's only the AuthKey. I totally get the purpose of the AuthKey since it's used to build the HMAC which is sent to the CD and therefore the Companion Device is able to authenticate the client. But what's the point of building an HMAC (Signature) on the CD with the device nonce from the service when the device key isn't stored by the Companion Auth Service? Who's gonna do something with the HMAC(dk)? Is there something missing in the diagram, or do I miss another important point? Thanks for any hint how the HMAC(dk) will be validated (by whomsoever).

    best regards


    Sunday, November 27, 2016 6:46 PM

All replies

  • Hi Fabian,

    From the documentation, there are two paragraphs are worth considering:

    The device key and authentication keys are exchanged at registration time between the Windows Hello companion device app and Windows Hello companion device. As a result, the Windows Hello companion device app and Windows Hello companion device must use a secure transport to protect keys.

    Also, note that while the diagram above displays two HMAC keys generating on the Windows Hello companion device, it is also possible for the app to generate them and send them to the Windows Hello companion device for storage.

    In fact, as documentation mentioned, for companion-device-framework problem, you’d better ask for help from here.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, November 29, 2016 2:49 AM
  • Hi Teemo

    Thanks for the reply but I don't know how these paragraphs could answer my question.

    I know that the keys are exchanged during registration and therefore a secure transport must be used. I'm also aware of the possibility to generate them either on the device or within the companion device app on the client but that where is the connection to my question?

    But I guess I'll get in touch with the board



    Wednesday, November 30, 2016 2:17 PM
  • Hi schwf5

    I have same question about Device HMAC.
    Did you get the answer for your question ?

    Thursday, October 19, 2017 1:28 AM