The PIV standard says that the RSA encryption should be done raw and all hashing and padding is done off card, do cards perform any check that a padding has been applied, or do they just encrypt any plaintext that is smaller then the modulus?
Respectfully,
William C Roberts ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 1/7/2015 12:42 PM, William Roberts wrote: > The PIV standard says that the RSA encryption should be done raw and all hashing and padding is done off card, do cards perform any check that a padding has been applied, or do they just encrypt any > plaintext that is smaller then the modulus? The PIV only does RAW RSA which is the APDU operation for encryption and decryption the card does not care which one you are really doing, and does not need to check the padding. piv_validate_general_authentication is used to send the block to teh card and get the response. For RSA, 800-73-3 part 2 A4.1.1.1 and A3.1 are examples. The same APDU is uses as is the data. Higher level routines in PKCS#11 or OpenSC do the padding or check the response for the padding. > > -- > Respectfully, > > William C Roberts > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net > > > > _______________________________________________ > Opensc-devel mailing list > [hidden email] > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
So in throery if I had the pin to a card I could attack it and get the RSA private key. ouch, I hope I am wrong. On Wed, Jan 7, 2015 at 4:08 PM, Douglas E Engert <[hidden email]> wrote:
Respectfully,
William C Roberts ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by William Roberts
If you know the SO key, I think you can get any extractable information from the card including the private key of RSA, but generally private keys were written to the card with Non Extract flag set. When I dump the my PIV card info I could able to see the setting of Non Extract flag set, so even though I knew the PIN I couldn't able to extract the private key of RSA from my card. Regards, Sarat G
------- Original Message ------- Sender : William Roberts<[hidden email]> Date : Jan 08, 2015 10:03 (GMT+09:00) Title : Re: [Opensc-devel] PIV Card Padding Checks
So in throery if I had the pin to a card I could attack it and get the RSA private key. ouch, I hope I am wrong.
On Wed, Jan 7, 2015 at 4:08 PM, Douglas E Engert <[hidden email]> wrote:
Respectfully, William C Roberts
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by William Roberts
On 1/7/2015 7:03 PM, William Roberts wrote: > So in throery if I had the pin to a card I could attack it and get the RSA private key. ouch, I hope I am wrong. What? How? One of the attacks listed here? http://en.wikipedia.org/wiki/RSA_(cryptosystem) It also means that you would have to have it long enough to run some tests. The owner should notice it is missing and report it. I don't think you gain anything from attacking your own card. Reading 800-73-3 in the examples, they do say something about padding, so the card could look to see if it is padded but the card would have to tell the difference between padding and random data. 800-78-2 also talks about padding. But the padding is added by the software. In either case the length of the data sent to the card is then same length as the modulus. This says why padding is critical: http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ > > On Wed, Jan 7, 2015 at 4:08 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote: > > > > On 1/7/2015 12:42 PM, William Roberts wrote: > > The PIV standard says that the RSA encryption should be done raw and all hashing and padding is done off card, do cards perform any check that a padding has been applied, or do they just encrypt any > > plaintext that is smaller then the modulus? > > The PIV only does RAW RSA which is the APDU operation for encryption and decryption > the card does not care which one you are really doing, and does not need to check > the padding. > > piv_validate_general_authentication is used to send the block to teh card and get the response. > > For RSA, 800-73-3 part 2 A4.1.1.1 and A3.1 are examples. The same APDU is uses as is the data. > Higher level routines in PKCS#11 or OpenSC do the padding or check the response for the padding. > > > > > > -- > > Respectfully, > > > > William C Roberts > > > > > > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming! The Go Parallel Website, > > sponsored by Intel and developed in partnership with Slashdot Media, is your > > hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials and more. Take a > > look and join the conversation now. http://goparallel.sourceforge.net > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > [hidden email] <mailto:[hidden email]> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > -- > > Douglas E. Engert <[hidden email] <mailto:[hidden email]>> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net > _______________________________________________ > Opensc-devel mailing list > [hidden email] <mailto:[hidden email]> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > -- > Respectfully, > > William C Roberts > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Hopefully notices. That's the security posture of piv, less than ideal. > That's what I am hoping to do, openssl has check padding functions proving its possible to check, the card could implement an equivalent check. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by sarat
On 1/7/2015 9:49 PM, Sarat Chandra Prasad Gingupalli wrote: > If you know the SO key, I think you can get any extractable information from the card including the private key of RSA, but generally private keys were written to the card with Non Extract flag set. The PIV specs as define in 800-73 do not define any extra flags to be written to the card. Flags returned from PKCS#15 or PKCS#11 are set by the software, based on the policies in 800-73-3 part 1. 3.1.3 X.509 Certificate for PIV Authentication 3.2.3 X.509 Certificate for Digital Signature 3.2.4 X.509 Certificate for Key Management "key pair may be escrowed" 3.2.5 X.509 Certificate for Card Authentication > When I dump the my PIV card info I could able to see the setting of Non Extract flag set, so even though I knew the PIN I couldn't able to extract the private key of RSA from my card. This is based on trying to map 800-73 wording to PKCS#11 attributes. The SO PIN does *NOT* let you read the private keys. Its basically the unblocking PIN. For card administration the piv-tool requires the -A option with a 3DES or AES key for the card to write data to the card. There is no command in defined 800-73 to read or write a private key, only to generate a key on the card. But card vendors have additional commands used to write or maybe even read a private key. These commands are not part of the NIST standards. NIST has a set of 16 test cards with different keys etc. But each set has identical data and the data including the private keys printed in printed documentation. The set I have has Oberthur and GemAlto PIV cards. The keys must have been written to the cards. > > Regards, > > Sarat G > > ------- *Original Message* ------- > > *Sender* : William Roberts<[hidden email]> > > *Date* : Jan 08, 2015 10:03 (GMT+09:00) > > *Title* : Re: [Opensc-devel] PIV Card Padding Checks > > So in throery if I had the pin to a card I could attack it and get the RSA private key. ouch, I hope I am wrong. > > On Wed, Jan 7, 2015 at 4:08 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote: > > > > On 1/7/2015 12:42 PM, William Roberts wrote: > > The PIV standard says that the RSA encryption should be done raw and all hashing and padding is done off card, do cards perform any check that a padding has been applied, or do they just encrypt any > > plaintext that is smaller then the modulus? > > The PIV only does RAW RSA which is the APDU operation for encryption and decryption > the card does not care which one you are really doing, and does not need to check > the padding. > > piv_validate_general_authentication is used to send the block to teh card and get the response. > > For RSA, 800-73-3 part 2 A4.1.1.1 and A3.1 are examples. The same APDU is uses as is the data. > Higher level routines in PKCS#11 or OpenSC do the padding or check the response for the padding. > > > > > > -- > > Respectfully, > > > > William C Roberts > > > > > > > > ------------------------------------------------------------------------------ > > Dive into the World of Parallel Programming! The Go Parallel Website, > > sponsored by Intel and developed in partnership with Slashdot Media, is your > > hub for all things parallel software development, from weekly thought > > leadership blogs to news, videos, case studies, tutorials and more. Take a > > look and join the conversation now. http://goparallel.sourceforge.net <http://goparallel.sourceforge.net/> > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > [hidden email] <mailto:[hidden email]> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > -- > > Douglas E. Engert <[hidden email] <mailto:[hidden email]>> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net <http://goparallel.sourceforge.net/> > _______________________________________________ > Opensc-devel mailing list > [hidden email] <mailto:[hidden email]> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > -- > Respectfully, > > William C Roberts > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net > > > > _______________________________________________ > Opensc-devel mailing list > [hidden email] > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by William Roberts
On 1/7/2015 10:07 PM, William Roberts wrote: > > On Jan 7, 2015 7:59 PM, "Douglas E Engert" <[hidden email] <mailto:[hidden email]>> wrote: > > > > > > > > On 1/7/2015 7:03 PM, William Roberts wrote: > >> > >> So in throery if I had the pin to a card I could attack it and get the RSA private key. ouch, I hope I am wrong. > > > > > > What? How? > > > > One of the attacks listed here? > > http://en.wikipedia.org/wiki/RSA_(cryptosystem) > > > > It also means that you would have to have it long enough to run some tests. The owner should notice it is > > missing and report it. I don't think you gain anything from attacking your own card. > > Hopefully notices. That's the security posture of piv, less than ideal. Not just PIV, any smartcard and the hacker has to have the PIN, You only get 10 or so tries before the card locks up. > > > > > > > Reading 800-73-3 in the examples, they do say something about padding, so the card could look to see if it is padded > > but the card would have to tell the difference between padding and random data. > > That's what I am hoping to do, openssl has check padding functions proving its possible to check, the card could implement an equivalent check. > > > > 800-78-2 also talks about padding. But the padding is added by the software. > > > > In either case the length of the data sent to the card is then same length as the modulus. > > > > > > This says why padding is critical: > > http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ > > > > > > > > > >> > >> On Wed, Jan 7, 2015 at 4:08 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> wrote: > >> > >> > >> > >> On 1/7/2015 12:42 PM, William Roberts wrote: > >> > The PIV standard says that the RSA encryption should be done raw and all hashing and padding is done off card, do cards perform any check that a padding has been applied, or do they just > encrypt any > >> > plaintext that is smaller then the modulus? > >> > >> The PIV only does RAW RSA which is the APDU operation for encryption and decryption > >> the card does not care which one you are really doing, and does not need to check > >> the padding. > >> > >> piv_validate_general_authentication is used to send the block to teh card and get the response. > >> > >> For RSA, 800-73-3 part 2 A4.1.1.1 and A3.1 are examples. The same APDU is uses as is the data. > >> Higher level routines in PKCS#11 or OpenSC do the padding or check the response for the padding. > >> > >> > >> > > >> > -- > >> > Respectfully, > >> > > >> > William C Roberts > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Dive into the World of Parallel Programming! The Go Parallel Website, > >> > sponsored by Intel and developed in partnership with Slashdot Media, is your > >> > hub for all things parallel software development, from weekly thought > >> > leadership blogs to news, videos, case studies, tutorials and more. Take a > >> > look and join the conversation now. http://goparallel.sourceforge.net > >> > > >> > > >> > > >> > _______________________________________________ > >> > Opensc-devel mailing list > >> > [hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>> > >> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > >> > > >> > >> -- > >> > >> Douglas E. Engert <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> > >> > >> > >> > >> ------------------------------------------------------------------------------ > >> Dive into the World of Parallel Programming! The Go Parallel Website, > >> sponsored by Intel and developed in partnership with Slashdot Media, is your > >> hub for all things parallel software development, from weekly thought > >> leadership blogs to news, videos, case studies, tutorials and more. Take a > >> look and join the conversation now. http://goparallel.sourceforge.net > >> _______________________________________________ > >> Opensc-devel mailing list > >> [hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>> > >> > >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > >> > >> > >> > >> > >> -- > >> Respectfully, > >> > >> William C Roberts > >> > > > > -- > > > > Douglas E. Engert <[hidden email] <mailto:[hidden email]>> > > > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Free forum by Nabble | Edit this page |