Symmetric 9E Key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Symmetric 9E Key

William Roberts
Does anyone know how to use something like pkcs11-tool to issue a AES
256 encryption on 9E key? My Card supports this, but I am trying to
figure out how to test this within higher level apps. I verified that
I can generate a GENERAL AUTH APDU and send it to the card and have
encrypted.

Thanks.

--
Respectfully,

William C Roberts

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Symmetric 9E Key

Douglas E Engert


On 11/7/2014 12:49 PM, William Roberts wrote:
> Does anyone know how to use something like pkcs11-tool to issue a AES
> 256 encryption on 9E key?


Using a PIV card "Card Authentication Key" I presume.


NIST 800-78-3 Table 6-3. PIV Card Keys: Key References and Algorithms

    Card Authentication Key '9E' After 12/31/2014 '00', '03', '07', '08', '0A', '0C', '11'

Most use of the optional "Card Authentication Key" has been with certificates using RSA or ECC.

Nothing was added to OpenSC's PKCS#11 to support this.

If you are trying to test if it works, The piv-tool has the -A option. See:
man piv-tool

The should work for -M 9E:08 -M 9E:0A or -M 9E:0C. Never tried it. But part of the exchange
is to have the card encrypt data and return results. Check the opensc-debug.log

You will need the github  master branch, as AES in not in earlier versions.


> My Card supports this, but I am trying to
> figure out how to test this within higher level apps. I verified that
> I can generate a GENERAL AUTH APDU and send it to the card and have
> encrypted.
>
> Thanks.
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Symmetric 9E Key

Douglas E Engert
In reply to this post by William Roberts
One more comment.

The OpenSC driver has no way to know if a symmetric 9E key exists
on the card, or what size it is, without trying to use it. (If its RSA or EC,
it will (if the card admin did it correctly) have a certificate, with a SPKI
that has the pubkey and size.

So pkcs11-tool only lists keys with certificates.
The piv-tool can use the symmetric 9B key, if present.




On 11/7/2014 12:49 PM, William Roberts wrote:
> Does anyone know how to use something like pkcs11-tool to issue a AES
> 256 encryption on 9E key? My Card supports this, but I am trying to
> figure out how to test this within higher level apps. I verified that
> I can generate a GENERAL AUTH APDU and send it to the card and have
> encrypted.
>
> Thanks.
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Symmetric 9E Key

William Roberts
In reply to this post by Douglas E Engert


On Nov 7, 2014 11:31 AM, "Douglas E Engert" <[hidden email]> wrote:
>
>
>
> On 11/7/2014 12:49 PM, William Roberts wrote:
> > Does anyone know how to use something like pkcs11-tool to issue a AES
> > 256 encryption on 9E key?
>
>
> Using a PIV card "Card Authentication Key" I presume.
>
>
> NIST 800-78-3 Table 6-3. PIV Card Keys: Key References and Algorithms
>
>     Card Authentication Key '9E' After 12/31/2014 '00', '03', '07', '08', '0A', '0C', '11'
>
> Most use of the optional "Card Authentication Key" has been with certificates using RSA or ECC.
>
> Nothing was added to OpenSC's PKCS#11 to support this.
>
> If you are trying to test if it works, The piv-tool has the -A option. See:
> man piv-tool
>
> The should work for -M 9E:08 -M 9E:0A or -M 9E:0C. Never tried it. But part of the exchange
> is to have the card encrypt data and return results. Check the opensc-debug.log

Duh, I should have thought of this. I use this with 9B daily.

>
> You will need the github  master branch, as AES in not in earlier versions.

Yep, I added the support.
>
>
> > My Card supports this, but I am trying to
> > figure out how to test this within higher level apps. I verified that
> > I can generate a GENERAL AUTH APDU and send it to the card and have
> > encrypted.
> >
> > Thanks.
> >
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel