Support of decryption with AES key in PKCS?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Support of decryption with AES key in PKCS?

Nguyễn Hồng Quân
Hello

I'm the maintainer for OpenPGP support in OpenSC.

New version v2.1 of OpenPGP comes with support of decryption with AES key stored in the card. I want to add this feature to OpenSC, especially PKCS#11. My questions are:

- Can it be added to PKCS#11 code? Is C_Decrypt function the right place to do? If yes, which PKCS#11 application/tool can be used to debug and test? Mozilla apps don't let me pick a symmetric key.
- Can it be added to pkcs15 tools, the "pkcs15-crypt --decipher" command, for example? Looking into its source code, I found that the tool only lookup private keys.

Regards

--
Quân
***********************************************
* Nguyễn Hồng Quân                            *
* ☎ 093 9030 338                              *
* Facebook: ng.hong.quan                      *
* 🌏 quan.hoabinh.vn                          *
***********************************************

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Support of decryption with AES key in PKCS?

Douglas E Engert


On 7/13/2016 5:30 AM, Nguyễn Hồng Quân wrote:
Hello

I'm the maintainer for OpenPGP support in OpenSC.

New version v2.1 of OpenPGP comes with support of decryption with AES key stored in the card. I want to add this feature to OpenSC, especially PKCS#11.

Although OpenSC was based on PKCS#11 2.20, there some extensions for v2.30 and v2.40
OpenSC only supports RSA and EC keys, but internally some cards uses AES, but only for administrative card uses, not for PKCS#11.

Start by reading the PKCS#11 2.40 standards.
https://www.oasis-open.org/standards

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.pdf
http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.pdf
There are also some errata to the above.



My questions are:

- Can it be added to PKCS#11 code?

AES mechanisums  are defined in PKCS#11. PKCS#11 defines 3 types of keys, Public, Private and Secret. AES would be a Secret key.
See the pkcs11-curr-v2.40-os above, section 2.8 AES.

Is C_Decrypt function the right place to do?

Depends on the AES mechanism your token supports.

If yes, which PKCS#11 application/tool can be used to debug and test?

None that I know of. OpenSC really only deals with RSA and EC keys.

Mozilla apps don't let me pick a symmetric key.

Mozilla calls PKCS#11 modules to support smart cards. There is no Secret key smart cards that I know of for them to use.

- Can it be added to pkcs15 tools, the "pkcs15-crypt --decipher" command, for example?

 Not with out a lot more OpenSC programming.

Looking into its source code, I found that the tool only lookup private keys.

Yes RSA, GOST and EC are supported by OpenSC.

Within OpenSC, the closest thing to Secret Key support is with EC key derivation, a generic secret key is returned, and the minimal PKCS#11 interface is available to retrieve the secret key value.

pkcs11-tool.c in derive_key does:
rv = p11->C_DeriveKey(session, &mech, key, newkey_template, 5, &newkey);
The newkey is a secret key and its value is obtained.

pkcs11-tool.c can show and generate secret_keys.

src/pkcs11/framework-pkcs15.c has a pkcs15_create_secret_key but its only used for the generic secret key.


Regards

--
Quân
***********************************************
* Nguyễn Hồng Quân                            *
* ☎ 093 9030 338                              *
* Facebook: ng.hong.quan                      *
* 🌏 quan.hoabinh.vn                          *
***********************************************


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel