How to retrieve RSA private key from wrapped key blob?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to retrieve RSA private key from wrapped key blob?

Ogorzalek, Przemyslaw

Hello,

 

I wonder if it’s possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:

 

sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe

sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe

 

sc-hsm-tool --initialize --dkek-shares 2

sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe

sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe

pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign

sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1

 

I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?

 

Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.

 

I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob

So if you can answer my question, the reputation is yours to get J

 

Best regards,

Przemysław Ogorzałek


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to retrieve RSA private key from wrapped key blob?

Andreas Schwier (ML)
Dear Przemysław,

if you register at the CardContact Developers Network, you can download
the SDK [1]. It contains a class DKEK.js which can be used to decrypt
and dump the key blob.

Andreas


[1]
https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip

On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote:

> Hello,
>
> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:
>
> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe
>
> sc-hsm-tool --initialize --dkek-shares 2
> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1
>
> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?
>
> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.
>
> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
> So if you can answer my question, the reputation is yours to get :)
>
> Best regards,
> Przemysław Ogorzałek
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to retrieve RSA private key from wrapped key blob?

Ogorzalek, Przemyslaw
Hello,

I've finally managed to obtain a card and all credentials required to download the SDK, but now I have bumped into a problem with the script itself.

I fired up Smart Card Shell GUI, set sc-hsm-workspace as workspace directory and selected scsh/sc-hsm/DKEK.js script to run. As a result it produced the following error:

    Running setup script config.js ...

    SCSH3 - Smart Card Shell 3.7.1917
    ---------------------------------------------------------------------------
    (c) 2005-2011 CardContact Software & System Consulting (www.cardcontact.de)
    Enter 'help' for a command overview or 'quit' to close the shell

    >load("/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js");
    org.mozilla.javascript.EcmaError: ReferenceError: "exports" is not defined. (/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25)
        at /root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25
    >

I've tried several other scripts from scsh directory, all of them finished with the same error. Scripts from sc-hsm-sdk-scripts directory run without this problem.  I used the same instance of Smart Card Shell which I used for account activation process., so the software itself should be fine.

I suspect it's some simple rookie mistake and I didn't initialize something correctly, but I was unable to find any clues in the documentation. Perhaps there should be some wiki page for absolute beginners to document problems like this one?

Best regards,
Przemysław Ogorzałek

-----Original Message-----
From: Andreas Schwier [mailto:[hidden email]]
Sent: Tuesday, April 19, 2016 2:19 PM
To: [hidden email]
Subject: Re: [Opensc-devel] How to retrieve RSA private key from wrapped key blob?

Dear Przemysław,

if you register at the CardContact Developers Network, you can download
the SDK [1]. It contains a class DKEK.js which can be used to decrypt
and dump the key blob.

Andreas


[1]
https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip

On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote:

> Hello,
>
> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:
>
> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe
>
> sc-hsm-tool --initialize --dkek-shares 2
> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1
>
> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?
>
> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.
>
> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
> So if you can answer my question, the reputation is yours to get :)
>
> Best regards,
> Przemysław Ogorzałek
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to retrieve RSA private key from wrapped key blob?

Andreas Schwier (ML)
Dear Przemysław,

the DKEK.js file - and all other files under "scsh" - is a module that
can not be loaded with load(). Modules are included from scripts using
the JavaScript require() command.

Try running the sc-hsm-sdk-scripts/key_import/decrypt_keyblob.js script
which is an example how to decrypt the key blob.

You also need to make sure, that you have the unrestricted cryptographic
strength policy installed in your JRE, as the DKEK encryption uses AES-256.

Andreas

On 04/25/2016 10:26 AM, Ogorzalek, Przemyslaw wrote:

> Hello,
>
> I've finally managed to obtain a card and all credentials required to download the SDK, but now I have bumped into a problem with the script itself.
>
> I fired up Smart Card Shell GUI, set sc-hsm-workspace as workspace directory and selected scsh/sc-hsm/DKEK.js script to run. As a result it produced the following error:
>
>     Running setup script config.js ...
>
>     SCSH3 - Smart Card Shell 3.7.1917
>     ---------------------------------------------------------------------------
>     (c) 2005-2011 CardContact Software & System Consulting (www.cardcontact.de)
>     Enter 'help' for a command overview or 'quit' to close the shell
>
>     >load("/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js");
>     org.mozilla.javascript.EcmaError: ReferenceError: "exports" is not defined. (/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25)
>         at /root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25
>     >
>
> I've tried several other scripts from scsh directory, all of them finished with the same error. Scripts from sc-hsm-sdk-scripts directory run without this problem.  I used the same instance of Smart Card Shell which I used for account activation process., so the software itself should be fine.
>
> I suspect it's some simple rookie mistake and I didn't initialize something correctly, but I was unable to find any clues in the documentation. Perhaps there should be some wiki page for absolute beginners to document problems like this one?
>
> Best regards,
> Przemysław Ogorzałek
>
> -----Original Message-----
> From: Andreas Schwier [mailto:[hidden email]]
> Sent: Tuesday, April 19, 2016 2:19 PM
> To: [hidden email]
> Subject: Re: [Opensc-devel] How to retrieve RSA private key from wrapped key blob?
>
> Dear Przemysław,
>
> if you register at the CardContact Developers Network, you can download
> the SDK [1]. It contains a class DKEK.js which can be used to decrypt
> and dump the key blob.
>
> Andreas
>
>
> [1]
> https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip
>
> On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote:
>> Hello,
>>
>> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:
>>
>> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
>> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe
>>
>> sc-hsm-tool --initialize --dkek-shares 2
>> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
>> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
>> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
>> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1
>>
>> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?
>>
>> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.
>>
>> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
>> So if you can answer my question, the reputation is yours to get :)
>>
>> Best regards,
>> Przemysław Ogorzałek
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications Manager
>> Applications Manager provides deep performance insights into multiple tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel