See below... -----Original Message----- From: Douglas E. Engert [mailto:deeng...@anl.gov] Sent: Wednesday, August 22, 2012 6:27 PM To: Witvliet, J, CDC/IV/DCOPS/I&S/HIN Cc: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] encrypt / decrypt
[SNIP] > -----Original Message----- > > No, the aspect of using a symmetric key didn't slip my mind. > That very well when encrypting large amount of data... > But when the symmetric key is large (compared to the data), then the overhead > does not justify the means. (I think) > And you have to transfer the encrypted key as well as the encrypted data. > How short are these messages? Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the size of the modulus and if using some padded version between 11 bytes less and maybe half the size of the modulus. Using RSA directly of a previously sent message will produce the same encrypted output which could be subject examination or re-play. Smime and CMS avoid many of these security issues and others. -----Original Message----- Ok Douglas, Regarding sizes, they vary between 32B and 1KB. Had a look at openssl smime.. Encryption seems no problem: OpenSSL> smime -encrypt -in /root/data.txt -out /root/data.enc hwit-43.pem But (returning to the original subject) how to specify the private key on the card? OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0 (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0 Loaded: (pkcs11) pkcs11 engine OpenSSL> OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine pkcs11 -keyform ENGINE error in smime No recipient certificate or key specified [Understandable...] OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine pkcs11 -keyform ENGINE -inkey 43 engine "pkcs11" set. Invalid slot number: 0 PKCS11_get_private_key returned NULL cannot load signing key file from engine 2771:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load signing key file error in smime while pkcs11-tool -O ... shows ... Private Key Object; RSA label: Vertrouwelijkheid ID: 43 Usage: decrypt, unwrap ... Even though I specified to use the pkcs-engine, it still seems to look for a file for the key. Same if I specify: "-inkey id_43" Hans ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel