trustedjava-support

[Trustedjava-support] AIK creation fails

[Fischer, A. <ann...@hp...>]

Hi,

I'm trying to use the AIK capabilities of the Trusted Java Stack, but
I've got some problems and I hope you can help me with that.

When using the AIK creation methods in the example test I have problems
to decrypt the IdentityReqBlob. During the method I get the following
error:

java.security.InvalidKeyException: Illegal key size or default
parameters
        at (24464082) javax.crypto.Cipher.a(DashoA12275)
        at (24464082) javax.crypto.Cipher.a(DashoA12275)
        at (24464082) javax.crypto.Cipher.a(DashoA12275)
        at (24464082) javax.crypto.Cipher.init(DashoA12275)
        at (24464082) javax.crypto.Cipher.init(DashoA12275)

I'm using the method of the junit test package (I printed it below). The
error appears during the execution of the=20

aesDec.init(Cipher.DECRYPT_MODE, skeySpec);

command.

Do you have any idea why the decryption here fails? The decryption of
the symmetric key seems to work. I'm using the complete AIK creation
process that is available in the junit test package. I create the public
CA key in the same way and the TPM_MakeIdentity command is also
successful on the TPM. The TPM doesn't give me error messages, so the
keys should be alright.

Thanks for your help,
Anna


My decryption method:

public TcTcpaIdentityProof caDecryptIdentityReqBlob(
			TcBlobData collateIdentityReqBlob) throws
TcException {
				// step 1: decode the collate identity
request blob
		TcTcpaIdentityReq collateIdentityReq =3D new
TcTcpaIdentityReq(
				collateIdentityReqBlob);

		TcBlobData symBlobDecrypted =3D null;
		try {

			// step 2: decrypt the symmetric key (encrypted
by the client with
			// the public CA key)

			//Cipher rsaDec =3D
Cipher.getInstance("RSA/ECB/PKCS1Padding");
			 Cipher rsaDec =3D
=09
Cipher.getInstance("RSA/ECB/OAEPWithSHA1AndMGF1Padding");
		=09
			rsaDec.init(Cipher.DECRYPT_MODE,
caKeyPair_.getPrivate());
			TcTcpaSymmetricKey symmetricKey =3D new
TcTcpaSymmetricKey(=20
=09
TcTssStructFactory.newBlobData().initByteArray(
=09
rsaDec.doFinal(collateIdentityReq.getAsymBlob()
=09
.asByteArray())));
		=09
			// step 3: decrypt the symmetrically encrypted
data
			Cipher aesDec =3D
Cipher.getInstance("AES/ECB/PKCS5Padding");
			SecretKeySpec skeySpec =3D new
SecretKeySpec(symmetricKey.getData()
					.asByteArray(), "AES");
		=09
		=09
			aesDec.init(Cipher.DECRYPT_MODE, skeySpec);
		=09
			symBlobDecrypted =3D
TcTssStructFactory.newBlobData().initByteArray(
					//=20
=09
aesDec.doFinal(collateIdentityReq.getSymBlob()
=09
.asByteArray()));

			} catch (GeneralSecurityException e) {
			Log.err(this,e);
			return null;
		}

				// the decrypted data is of type
TCPA_IDENTITY_PROOF
		TcTcpaIdentityProof identityProof =3D new
TcTcpaIdentityProof(
				symBlobDecrypted);
	=09
		return identityProof;
	}

Re: [Trustedjava-support] AIK creation fails

[Thomas W. <tho...@ia...>]

Hi Anna,

> [...]
> When using the AIK creation methods in the example test I have problems
> to decrypt the IdentityReqBlob. During the method I get the following
> error:
> 
> [...]
> 
> Do you have any idea why the decryption here fails? The decryption of
> the symmetric key seems to work.

Your problem seems to be that you do not have installed the "Unlimited 
Strength Jurisdiction Policy Files" for the Java Crypto Extension (JCE). 
Without those files, you can not use all the algorithms and the length 
of your keys might be limited.
Please download the files form 
http://java.sun.com/j2se/1.5.0/download.jsp (at the bottom of the page) 
and install them in the jre/lib/security folder of your Java 
installation. With these files, the AIK creation should work.

The readme.txt shipped with the jTSS Wrapper and the jTSS website also 
mention that Java 1.5 with the "Unlimited Strength Jurisdiction Policy 
Files" is required for AIK creation (section 2.3.1, item 3).

Regards,
Thomas Winkler
IAIK, TU Graz, Austria