Is it possible to wrap and export RSA private key in FIPS 140-2 Level 3 compliant hardware?

Question

I would like to do the following on FIPS 140-3 Level 3 certified cryptographic token using PKCS#11:

1. Generate RSA key pair on token

2. Import AES key from multiple components

3. Wrap and export RSA private key with AES key (PKCS#8) into file

I am trying to do it with a few FIPS 140-2 Level 3 cryptographic token with no success. I am getting CKR_DEVICE_ERROR.

So I am asking if it is possible to do that? Does the compliance of FIPS 140-2 Level 3 allow to wrap and export private key from token? Or it is just the matter of implementation of PKCS#11?

Answer 1

FIPS 140-2 does not explicitly forbid key export; what it says is that the module shall prevent unauthorized disclosure; it furthermore states that when a private key is exported from a module, it shall be done with encryption. The important word is "unauthorized": simply encrypting with an AES key is not enough; that key must also be such that it is known only to "authorized" systems or people, and this depends on a lot of other parts of FIPS 140-2. Basically, you cannot export a private key "generically" simply by virtue of having employed encryption; it must be part of some documented procedure that itself complies with the roles and constraints defined in FIPS 140-2, and has been evaluated as part of the process that allowed the module to be "certified FIPS 140-2 level 3".

To make the story short:

• Some modules will never allow a private key to be exported, regardless of encryption.
• Some modules will allow a private key to be exported only if, at key generation time, it was tagged as "extractable" (see the PKCS#11 "CKA_EXTRACTABLE" attribute).
• Some modules will allow a private key to be exported but only as part of a fully-specified procedure that is covered by FIPS 140-2 level 3; in practice, this happens only for moving keys between two equally 140-2 compliant hardware modules.

It is very improbable that a certified FIPS 140-2 level 3 module allows unbounded private key export, only protected with an externally provided AES key, and is still FIPS 140-2 level 3.

Answer 2

Thales nShield HSMs allow wrapping of a private key. It is possible to set a key ACL it to allow wrapping of it by any key, and in that case "authorization" consists of only being able to load the private key.

When using the Thales PKCS#11 library, keys can be set to CKA_EXTRACTABLE=true to allow C_WrapKey, and in that case wrapping will be allowed by any key with CKA_WRAP permissions. (In fact private keys can be set to CKA_SENSITIVE=false, even when using FIPS 140-2 level 3, and the PKCS#11 library will wrap them to extract from the FIPS boundary and then decrypt them.)

Sample Thales FIPS certification, with link to Security Policy

Answer 3

If the module you're using is FIPS 140-2 validated I recommend you read the publicly available Security Policy. This as well as the product documentation should tell you if you are able to export the private key. The Security Policy is available here: http://csrc.nist.gov/groups/STM/cmvp/validation.html It could be that the module does not support AES key wrapping in Approved mode. You will also want to make sure the AES key size you're using is large enough to match the equivalent strength of the RSA key, for example, a 128-bit AES key has an estimated lesser strength than a 4096-bit RSA key! This is against the FIPS key output requirements.