Which libraries/APIs needed?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Which libraries/APIs needed?

Markus Wernig
Hi all

I have a rather basic question on which libraries/APIs to use for
implementing the following in eg. a C or Java program.
The basic idea is:
init:
- create 256bit key for AES-256
- create RSA keypair on token (no x.509)
- encrypt aes-key with pubkey of rsa-pair, delete cleartext version
loop:
- when needed, decrypt aes-key with private rsa key, load to memory
- perform symmetric en-/decryption with key in memory

Mainly the question is: Since the cryptographic functions on the token
(which could also be a network HSM) appear to be carried out by the
pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all?

Thanks in advance for any pointer.

Here's the shellcode that should be "translated" into a compiled program:

echo "Generate AES Key"
secret=`head -c64 /dev/urandom`
openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key
echo "Generate keypair on pkcs#15 storage"
pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY
pkcs15-tool --read-public-key 45 -o rsa.pub
echo "Encrypt AES Key"
openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c
echo "Remove AES Key"
for i in `seq 0 7`
do
size=`stat aes.key | grep Size | awk {'print $2'}`
head -c $size /dev/urandom > aes.key
sync
sync
sleep 1
done
rm aes.key
sync
echo "Decrypt AES Key to memory (depending on shell)"
eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "`
echo "Encrypt data"
openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt
-aes256
echo "Decrypt data"
openssl enc -d -K $key -iv $iv -in data.file.crypt -out
data.file.decrypt -aes256
echo "Clear memory"
unset key iv salt

kind regards & thanks

Markus

PS: The above shellcode is based on
http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Which libraries/APIs needed?

Alon Bar-Lev
Use PKCS#15 to perform the card management, it can be done using a simple script as you outlined as it done once.

Then use PKCS#11 to use the keys and perform the encryption/decryption as it is more standard API, and most likely you will be able to find a utility that does exactly as you need, refer to engine_pkcs11.

Regards,
Alon

On Tue, Dec 4, 2012 at 9:56 PM, Markus Wernig <[hidden email]> wrote:
ould also be a network HSM) appear to be carried out by the
pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all?


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Which libraries/APIs needed?

Andreas Jellinghaus-4
In reply to this post by Markus Wernig
opensc has a test suite that does very similar things - create a key,
take some content, hash it, sign the hash, verify it.
or take some content, and encrypt/decrypt it, verify the result is ok.
check that code, most of it will be very similar to
what you have, except for the smart card specific parts.

http://www.opensc-project.org/opensc/browser/OpenSC/src/tests/regression/init0009

Regards, Andreas

2012/12/4 Markus Wernig <[hidden email]>:

> Hi all
>
> I have a rather basic question on which libraries/APIs to use for
> implementing the following in eg. a C or Java program.
> The basic idea is:
> init:
> - create 256bit key for AES-256
> - create RSA keypair on token (no x.509)
> - encrypt aes-key with pubkey of rsa-pair, delete cleartext version
> loop:
> - when needed, decrypt aes-key with private rsa key, load to memory
> - perform symmetric en-/decryption with key in memory
>
> Mainly the question is: Since the cryptographic functions on the token
> (which could also be a network HSM) appear to be carried out by the
> pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all?
>
> Thanks in advance for any pointer.
>
> Here's the shellcode that should be "translated" into a compiled program:
>
> echo "Generate AES Key"
> secret=`head -c64 /dev/urandom`
> openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key
> echo "Generate keypair on pkcs#15 storage"
> pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY
> pkcs15-tool --read-public-key 45 -o rsa.pub
> echo "Encrypt AES Key"
> openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c
> echo "Remove AES Key"
> for i in `seq 0 7`
> do
> size=`stat aes.key | grep Size | awk {'print $2'}`
> head -c $size /dev/urandom > aes.key
> sync
> sync
> sleep 1
> done
> rm aes.key
> sync
> echo "Decrypt AES Key to memory (depending on shell)"
> eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "`
> echo "Encrypt data"
> openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt
> -aes256
> echo "Decrypt data"
> openssl enc -d -K $key -iv $iv -in data.file.crypt -out
> data.file.decrypt -aes256
> echo "Clear memory"
> unset key iv salt
>
> kind regards & thanks
>
> Markus
>
> PS: The above shellcode is based on
> http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel