<link>http://ncryptoki.com/forum.aspx</link> <description /> <docs>http://www.rssboard.org/rss-specification</docs> <generator>mojoPortal Forum module</generator> <item> <title>Re: wrap and unwrap key Little more offtopic here. When i try now to load the key to the keystore with keytool I get error: DerInputStream.getLength(): lengthTag=111, too big. So i think i have to check my decryption method again and see if the problem is there.
Right now my simple decrypt method looks like this:

EDIT: Ok, it was a problem of mine decryption code.

        public static byte[] Decrypt(byte[] cipherData)
        {
            MemoryStream ms = new MemoryStream(cipherData);

            DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider();
            cryptoProvider.Key = bytes;
            cryptoProvider.Padding = PaddingMode.None;
            cryptoProvider.Mode = CipherMode.ECB;

            CryptoStream cs = new CryptoStream(ms, cryptoProvider.CreateDecryptor(), CryptoStreamMode.Read);
            StreamReader sr = new StreamReader(cs);
            byte[] decryptedTextBytes = new Byte[cipherData.Length];
            cs.Read(decryptedTextBytes, 0, cipherData.Length);
            cs.Close();
            ms.Close();

            return decryptedTextBytes;
        }

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post96 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:47:11 GMT Re: wrap and unwrap key Very good.

it is DER format of PKCS#8: http://www.rsa.com/rsalabs/node.asp?id=2130

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post95 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:42:17 GMT
Re: wrap and unwrap key The wrapped key is a RSA privatekey. When i look at the array from debugger then it starts with 0x30 0x82 0x02 ... So it should be ANS.1 DER format then.

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post94 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:33:35 GMT
Re: wrap and unwrap key Don't worry about the topic. it may interest other developers.

The byte array you got is the plaintext (decrypted) of the wrapped key. What is the type of the wrapped key? RSA, ECC or something else?

Usually, in the most of PKCS#11 modules, a wrapped key is in ASN.1 DER encoding. to check that open you key in an hex editor and check whether it starts with 0x30 0x81 0xXX ... if so it is ASN.1 DER encoding.

The usual format for RSA and some other keys is defined in PKCS#n specifications (PKCS#12 for RSA key pairs, and so on)

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post93 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:24:01 GMT
Re: wrap and unwrap key Right now i wrote a simple decryption method to decrypt the wrapped key withoud PKCS#11 module and im getting byte array from there. Have no ide what to do with it next.
I am sorry that this topic is going little out of the NCyproki topic but i dont know anywhere else to ask these questions..

(Why the forum is showing my post as double post on the 1 and 2 page? :P)
 

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post92 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:16:27 GMT
Re: wrap and unwrap key This depends on the underlying PKCS#11 module. PKCS#11 spec says nothing about the internal format of a wrapped key and NCryptoki does nothing on the format. It simply forwards what the underlying PKCS#11 module returns.

To see the exact format you should decrypt by yourself the wrapped key externally, without using a PKCS#11 module.

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post90 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 13:08:39 GMT
Re: wrap and unwrap key Can you please tell me what format the private key is when i wrap it and then unwrap it in some other location. Is it DER or PEM  or something else? I need just want to confirm that the key is ok afther wrapping and unwrapping.

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post89 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 09:50:06 GMT
Re: wrap and unwrap key Error 113 (wrapping key handle invalid) doesn't mean that you cannot wrap a key with a DES key.

How do you create the DES key? and the key to wrap?

Please read carefully the PKCS#11 specification. I have think that you need to understand better the PKCS#11 specs:

http://wiki.ncryptoki.com/GetFile.aspx?File=%2fdocs%2fpkcs-11v2-20.pdf

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post88 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 09:16:29 GMT
Re: wrap and unwrap key Ok, i have been playng with it here now and looks like i cnt wrap keys with DES key...
And exactly the erroro  i am getting is : 0x113 wrapping key handle invalid.
 EDIT: Ok i got ower this problem. Now i am facing a new one. When i try to unwrap the key i get template inconsistent. But i am giving it the bytes of wrapped key...

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post87 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Mon, 14 Mar 2011 06:20:56 GMT
Re: wrap and unwrap key No. Using GenerateKey you are asking to the HSM to generate a new key so you cannot set the key value.

The only way to set the key value is by using CreateObject as I explained before.

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post86 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 14:10:31 GMT
Re: wrap and unwrap key Thanks, one question more.. would it be same when i use GenerateKey, when using that i can allso set the key value?

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post85 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 13:56:12 GMT
Re: wrap and unwrap key It's not exactly true.

When you call Wrap method you get the encrypted wrapped key in form of array of bytes, not merely as an object reference. When you call the Wrap method you get the byte array containing the encrypted (wrapped) key. Then, you can do what you want with that encrypted key. To store it in another system you have to decrypt it and you can do decryption if you know the secret key used to encrypt (wrap) the other key (you surely know the algo because when you call Wrap you have specified the mechanism).

To reach your goal simply you should use your own key to wrap the other key and you should use an implementation of the wrapping algorithm to decrypt (unwrap) it.

If you really need that and you don't know ho to do I can develop for you the classes you need.

 

This is the snippet that loads a DES secret key:

// your wrapping key
byte[] keyValue = {0x11,0x12,0x13, 0x14, 0x15,0x16,0x17,0x18};

CryptokiCollection template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, id));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));                
template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALYE, keyValue));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));

CryptokiObject deskey = CurrentSession.Objects.Create(template);

Regards, 

Ugo

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post84 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 13:08:10 GMT
Re: wrap and unwrap key Thanks for the promt answere. Thats exaclty what i wanted to know. First i found this blog: http://nsayer.blogspot.com/2010/08/key-wrapping-with-hsms.html

It says that there is no possible way to see the real key. So thats why i asked here..


What you'll get is a PrivateKey. But as we've seen, PrivateKeys that you get from an HSM are just sham objects. You don't actually get to see that PrivateKey - it is merely a reference to the key in the HSM.

But now when i start thinking then the blog is about unwrapping the key with HSM so it really doesnt go for my case.. or maybe im still misunderstanding something?


EDIT: And maybe u have a example in C# hot to load the key with CreateObject..
 

Best regards


 

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post83 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 11:36:47 GMT
Re: wrap and unwrap key Your question is a bit hard to answer.

Generally a wrapped key can be unwrapped outside the HSM. You should use the same cryptographic algorithm you used to wrap.

You should load in the HSM a wrapping key (for example a 3DES key) by using CreateObject. Then you can generate a key pair specifying in the tamplate CKA_EXTRACTABLE = TRUE. This flag allows to make the key pair wrappable (if the HSM allows wrapping on the private keys). Than, you can extract the key pair by calling WrapKey specifying as the wrapping key the 3DES key above. Finally, on the other side, without the HSM, you must write a piece of code that implements the wrapping cryptographic algorithm and call your code by using the wrapping key to unwrap the wrapped key.

Note about WrapKey function (as stated in the PKCS#11 specification):

C_WrapKey can be used in the following situations:
• To wrap any secret key with a public key that supports encryption and decryption.
• To wrap any secret key with any other secret key. Consideration must be given to key
size and mechanism strength or the token may not allow the operation.
• To wrap a private key with any secret key.

 

Regards,

Ugo Chirico

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post82 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 11:28:48 GMT
wrap and unwrap key Hello, is it possible to unwrap key outside the hsm. So i wrap the key and then send it to some location and then i unwrap it there using the key i used to wrap it? 

Basically what my coal is is to generate a keypair and then move it to other location outside the HSM. Looks like wrapping and unwrapping is the only way to do it but i cant figure out how can i unwrap the key otside the hsm to use it in other location.

Thanks.
 

]]>
http://ncryptoki.com/Forums/Thread.aspx?pageid=9&t=15~-1#post81 soojendi http://ncryptoki.com/Forums/Thread.aspx?pageid= Tue, 08 Mar 2011 10:58:09 GMT