Menu
▾
▴
Re: [Opensc-devel] Support of decryption with AES key in PKCS?
|
From: Douglas E E. <dee...@gm...> - 2016-07-13 19:20:28
|
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 7/13/2016 5:30 AM, Nguyễn Hồng Quân
wrote:<br>
</div>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello<br>
<br>
</div>
I'm the maintainer for OpenPGP support in OpenSC.<br>
<br>
</div>
New version v2.1 of OpenPGP comes with support of decryption
with AES key stored in the card. I want to add this feature
to OpenSC, especially PKCS#11. </div>
</div>
</div>
</blockquote>
<br>
Although OpenSC was based on PKCS#11 2.20, there some extensions for
v2.30 and v2.40<br>
OpenSC only supports RSA and EC keys, but internally some cards uses
AES, but only for administrative card uses, not for PKCS#11. <br>
<br>
Start by reading the PKCS#11 2.40 standards. <br>
<a class="moz-txt-link-freetext" href="https://www.oasis-open.org/standards">https://www.oasis-open.org/standards</a><br>
<br>
<a class="moz-txt-link-freetext" href="http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf">http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf</a><br>
<a class="moz-txt-link-freetext" href="http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.pdf">http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.pdf</a><br>
There are also some errata to the above. <br>
<br>
<br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>My questions are:<br>
<br>
</div>
<div>- Can it be added to PKCS#11 code?</div>
</div>
</div>
</blockquote>
<br>
AES mechanisums are defined in PKCS#11. PKCS#11 defines 3 types of
keys, Public, Private and Secret. AES would be a Secret key. <br>
See the pkcs11-curr-v2.40-os above, section 2.8 AES.<br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>
<div> Is C_Decrypt function the right place to do? </div>
</div>
</div>
</blockquote>
<br>
Depends on the AES mechanism your token supports. <br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>If yes, which PKCS#11 application/tool can be used to
debug and test? </div>
</div>
</div>
</blockquote>
<br>
None that I know of. OpenSC really only deals with RSA and EC keys.
<br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Mozilla apps don't let me pick a symmetric key.<br>
</div>
</div>
</div>
</blockquote>
<br>
Mozilla calls PKCS#11 modules to support smart cards. There is no
Secret key smart cards that I know of for them to use. <br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div>- Can it be added to pkcs15 tools, the "pkcs15-crypt
--decipher" command, for example?</div>
</div>
</blockquote>
<br>
Not with out a lot more OpenSC programming. <br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div> Looking into its source code, I found that the tool only
lookup private keys.<br>
</div>
</div>
</blockquote>
<br>
Yes RSA, GOST and EC are supported by OpenSC. <br>
<br>
Within OpenSC, the closest thing to Secret Key support is with EC
key derivation, a generic secret key is returned, and the minimal
PKCS#11 interface is available to retrieve the secret key value. <br>
<br>
pkcs11-tool.c in derive_key does: <br>
rv = p11->C_DeriveKey(session, &mech, key, newkey_template,
5, &newkey);<br>
The newkey is a secret key and its value is obtained. <br>
<br>
pkcs11-tool.c can show and generate secret_keys. <br>
<br>
src/pkcs11/framework-pkcs15.c has a pkcs15_create_secret_key but its
only used for the generic secret key. <br>
<br>
<blockquote
cite="mid:CAL...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
Regards<br clear="all">
<div>
<div>
<div>
<div>
<div><br>
-- <br>
<div class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><span style="font-family:courier
new,monospace">Quân<br>
</span></div>
<div><span style="font-family:courier
new,monospace">***********************************************<br>
* Nguyễn Hồng Quân
*<br>
* ☎ 093 9030 338
*<br>
* Facebook:
ng.hong.quan
*<br>
</span></div>
<span style="font-family:courier
new,monospace">* 🌏 <a
moz-do-not-send="true"
href="http://quan.hoabinh.vn"
target="_blank">quan.hoabinh.vn</a>
*<br>
</span>
<div><span style="font-family:courier
new,monospace">***********************************************</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
