Re: [opensc-devel] Securing a 3DES key on smartcard
On 1/1/2012 4:03 PM, Jean-Michel Pouré - GOOZE wrote: > Dear all, > > Is there a way to store a 3DES key on smartcard, so it cannot be > extracted but still be usable by OpenSSL? > > We wrote this; > http://www.gooze.eu/howto/smartcard-quickstarter-guide/scenario-5-importing-3des-key > > pkcs11-tool -v --module /usr/lib/opensc-pkcs11.so --slot 1 --label > "3deskey" --write-object 3des.key --type data --private --login --pin > > > But this is not really a suitable solution to store a 3DES key securely. > Is there a best solution? > > Can 3DES keys be generated on card? (I guess NO)? It would depend on the card. Currently OpenSC does not have any secret key object support. But the ECDH git branch introduces some routines. Just enough to support the creation of the secret_key object, (without any key) to be used to return the secret key generated by a C_DeriveKey. Only PKCS#11 "Session Object" support was added. (The PIV card with ECDH can return such a key. I don't have any other card to use to test anything else.) > Can 3DES keys be imported as unextractible keys (like RSA private keys)? PKCS#11 does define CKA_EXTRACTABLE, CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE attributes for secret key objects. If it is generated on the card, you will need to extract it at least once, to give to the other party, or generate it external to the card and load it on the card. If generated on the card, you could be able to extract it as a wrapped key, and insert it on some other card, so only the two cards know the key. And if the card supported it, you could derive the same key on two card using DH or ECDH for example. (The PIV returns the ECDH derived key, it does not store it on the card so is not usable on the card, it just returns it anf it is not wrapped.) > > Kind regards, > > > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Securing a 3DES key on smartcard
2012/1/2 Jean-Michel Pouré - GOOZE : > Dear all, > Is there a way to store a 3DES key on smartcard, so it cannot be > extracted but still be usable by OpenSSL? PKCS #11 allows that but opensc didn't support secret keys last time I checked. Symmetric keys in smart-cards could be useful for Kerberos and TLS-PSK (with C_DigestKey). However none of those two have ever been used with such smart-cards to my knowledge. regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Securing a 3DES key on smartcard
Jean-Michel Pouré - GOOZE wrote: > Is there a way to store a 3DES key on smartcard, so it cannot be > extracted but still be usable by OpenSSL? Maybe some card supports it, but usually it is undesirable for performance reasons. Symmetrical ciphers are usually intended for large amounts of data, so performance is more critical than with asymmetrical, and cards are *very* slow in comparison to the CPU. When creating a signature it may be OK to have one or a small number of relatively slow operations. "RSA encryption" often uses a symmetrical cipher (AES, DES, etc) for actual encryption of data, and then encrypts only the key for that cipher using RSA. //Peter pgp9OPfvSiltx.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Securing a 3DES key on smartcard
Dear all, Is there a way to store a 3DES key on smartcard, so it cannot be extracted but still be usable by OpenSSL? We wrote this; http://www.gooze.eu/howto/smartcard-quickstarter-guide/scenario-5-importing-3des-key pkcs11-tool -v --module /usr/lib/opensc-pkcs11.so --slot 1 --label "3deskey" --write-object 3des.key --type data --private --login --pin But this is not really a suitable solution to store a 3DES key securely. Is there a best solution? Can 3DES keys be generated on card? (I guess NO)? Can 3DES keys be imported as unextractible keys (like RSA private keys)? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel