How to use symmetric 9E key on PIV

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use symmetric 9E key on PIV

William Roberts
I have a PIV card with a symmetric 9E key, is their some way to use this to encrypt data with any of the opensc, pkcs11 or openssl commands?

--
Respectfully,

William C Roberts


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to use symmetric 9E key on PIV

Douglas E Engert


On 12/9/2014 4:44 PM, William Roberts wrote:
> I have a PIV card with a symmetric 9E key, is their some way to use this to encrypt data with any of the opensc, pkcs11 or openssl commands?

Yes and no at the moment. Since the PIV was designed to be a government issued card,
and the OpenSC codes was designed to be for the end user, only the card issuer should know the symmetric
keys for the card. And the keys would be used to provision the card possibly to
use in place of the 9B key for authentication. This would then be vendor specific
as NIST allows vendors to do provisioning without using NIST 800-73 commands.


The piv-tool with the -A {A|M}:ref:alg in effect does an encryption and/or decryption
using the ref=9B, it could do it with ref=9E.

So it would be possible, but OpenSC does not have much code in the PKCS#11 or PKCS#15 for using
symmetric keys on a card.

You may want to look at the NIST 800-73-4 draft that also defines secure Messaging.

http://csrc.nist.gov/publications/PubsDrafts.html

The 9E key, might be used for provisioning over the network, if the card is expecting
objects to be updated are encrypted with the 9E key.

>
> --
> Respectfully,
>
> William C Roberts
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to use symmetric 9E key on PIV

William Roberts

The piv standard covers detection of the 9e key and states their should be a local lookup map indicating the type of key if the certificate is empty, I'm assuming then this doesn't exist and the only way is with piv tool?

On Dec 10, 2014 6:17 AM, "Douglas E Engert" <[hidden email]> wrote:


On 12/9/2014 4:44 PM, William Roberts wrote:
> I have a PIV card with a symmetric 9E key, is their some way to use this to encrypt data with any of the opensc, pkcs11 or openssl commands?

Yes and no at the moment. Since the PIV was designed to be a government issued card,
and the OpenSC codes was designed to be for the end user, only the card issuer should know the symmetric
keys for the card. And the keys would be used to provision the card possibly to
use in place of the 9B key for authentication. This would then be vendor specific
as NIST allows vendors to do provisioning without using NIST 800-73 commands.


The piv-tool with the -A {A|M}:ref:alg in effect does an encryption and/or decryption
using the ref=9B, it could do it with ref=9E.

So it would be possible, but OpenSC does not have much code in the PKCS#11 or PKCS#15 for using
symmetric keys on a card.

You may want to look at the NIST 800-73-4 draft that also defines secure Messaging.

http://csrc.nist.gov/publications/PubsDrafts.html

The 9E key, might be used for provisioning over the network, if the card is expecting
objects to be updated are encrypted with the 9E key.

>
> --
> Respectfully,
>
> William C Roberts
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to use symmetric 9E key on PIV

Douglas E Engert


On 12/10/2014 9:21 AM, William Roberts wrote:
> The piv standard covers detection of the 9e key and states their should be a local lookup map indicating the type of key if the certificate is empty, I'm assuming then this doesn't exist and the only
> way is with piv tool?

As a User would not use the 9E key, (as the would already have a copy off the card) I would assume that
the "lookup table" would be provided by the card provisioner.

(With asysmmetric key, if there is no certificate on the card, and the env PIV_<key>_KEY is set, the
card-piv.c will load the pubkey from the file. The piv-tool genkey would have saved it there.
This is used when the card needs to sign the certificate request to get the certificate.)

What are you trying to do with a symmetric 9E key?


>
> On Dec 10, 2014 6:17 AM, "Douglas E Engert" <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 12/9/2014 4:44 PM, William Roberts wrote:
>      > I have a PIV card with a symmetric 9E key, is their some way to use this to encrypt data with any of the opensc, pkcs11 or openssl commands?
>
>     Yes and no at the moment. Since the PIV was designed to be a government issued card,
>     and the OpenSC codes was designed to be for the end user, only the card issuer should know the symmetric
>     keys for the card. And the keys would be used to provision the card possibly to
>     use in place of the 9B key for authentication. This would then be vendor specific
>     as NIST allows vendors to do provisioning without using NIST 800-73 commands.
>
>
>     The piv-tool with the -A {A|M}:ref:alg in effect does an encryption and/or decryption
>     using the ref=9B, it could do it with ref=9E.
>
>     So it would be possible, but OpenSC does not have much code in the PKCS#11 or PKCS#15 for using
>     symmetric keys on a card.
>
>     You may want to look at the NIST 800-73-4 draft that also defines secure Messaging.
>
>     http://csrc.nist.gov/publications/PubsDrafts.html
>
>     The 9E key, might be used for provisioning over the network, if the card is expecting
>     objects to be updated are encrypted with the 9E key.
>
>      >
>      > --
>      > Respectfully,
>      >
>      > William C Roberts
>      >
>      >
>      >
>      > ------------------------------------------------------------------------------
>      > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>      > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>      > with Interactivity, Sharing, Native Excel Exports, App Integration & more
>      > Get technology previously reserved for billion-dollar corporations, FREE
>      > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>      >
>      >
>      >
>      > _______________________________________________
>      > Opensc-devel mailing list
>      > [hidden email] <mailto:[hidden email]>
>      > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>      >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>     from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>     with Interactivity, Sharing, Native Excel Exports, App Integration & more
>     Get technology previously reserved for billion-dollar corporations, FREE
>     http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: How to use symmetric 9E key on PIV

William Roberts


On Wed, Dec 10, 2014 at 10:50 AM, Douglas E Engert <[hidden email]> wrote:


On 12/10/2014 9:21 AM, William Roberts wrote:
The piv standard covers detection of the 9e key and states their should be a local lookup map indicating the type of key if the certificate is empty, I'm assuming then this doesn't exist and the only
way is with piv tool?

As a User would not use the 9E key, (as the would already have a copy off the card) I would assume that
the "lookup table" would be provided by the card provisioner.

(With asysmmetric key, if there is no certificate on the card, and the env PIV_<key>_KEY is set, the
card-piv.c will load the pubkey from the file. The piv-tool genkey would have saved it there.
This is used when the card needs to sign the certificate request to get the certificate.)

What are you trying to do with a symmetric 9E key?

I was hoping to be able to encrypt some arbitrary data with it via some openssl magic. Obviously piv-tool works or I can just format the APDUs myself and send them,
but I was hoping to leverage as much existing infrastructure as possible.
 



On Dec 10, 2014 6:17 AM, "Douglas E Engert" <[hidden email] <mailto:[hidden email]>> wrote:



    On 12/9/2014 4:44 PM, William Roberts wrote:
     > I have a PIV card with a symmetric 9E key, is their some way to use this to encrypt data with any of the opensc, pkcs11 or openssl commands?

    Yes and no at the moment. Since the PIV was designed to be a government issued card,
    and the OpenSC codes was designed to be for the end user, only the card issuer should know the symmetric
    keys for the card. And the keys would be used to provision the card possibly to
    use in place of the 9B key for authentication. This would then be vendor specific
    as NIST allows vendors to do provisioning without using NIST 800-73 commands.


    The piv-tool with the -A {A|M}:ref:alg in effect does an encryption and/or decryption
    using the ref=9B, it could do it with ref=9E.

    So it would be possible, but OpenSC does not have much code in the PKCS#11 or PKCS#15 for using
    symmetric keys on a card.

    You may want to look at the NIST 800-73-4 draft that also defines secure Messaging.

    http://csrc.nist.gov/publications/PubsDrafts.html

    The 9E key, might be used for provisioning over the network, if the card is expecting
    objects to be updated are encrypted with the 9E key.

     >
     > --
     > Respectfully,
     >
     > William C Roberts
     >
     >
     >
     > ------------------------------------------------------------------------------
     > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
     > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
     > with Interactivity, Sharing, Native Excel Exports, App Integration & more
     > Get technology previously reserved for billion-dollar corporations, FREE
     > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
     >
     >
     >
     > _______________________________________________
     > Opensc-devel mailing list
     > [hidden email] <mailto:[hidden email]>
     > https://lists.sourceforge.net/lists/listinfo/opensc-devel
     >

    --

       Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>


    ------------------------------------------------------------------------------
    Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
    from Actuate! Instantly Supercharge Your Business Reports and Dashboards
    with Interactivity, Sharing, Native Excel Exports, App Integration & more
    Get technology previously reserved for billion-dollar corporations, FREE
    http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
    _______________________________________________
    Opensc-devel mailing list
    [hidden email] <mailto:[hidden email]>
    https://lists.sourceforge.net/lists/listinfo/opensc-devel


--

 Douglas E. Engert  <[hidden email]>




--
Respectfully,

William C Roberts


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel